On Saturday, May 21, 2005 05:08:42 PM +0200 Albrecht Gebhardt <[EMAIL PROTECTED]> wrote:


fs: Tokens for user of AFS id XYZ for cell uni-klu.ac.at are discarded
(rxkad error=19270405)

As you determined, 19270405 is RXKADNOAUTH, "caller not authorized".
There are several cases where this can occur.  One is the case you found,
where the caller presents a Kerberos V5 ticket with the 'invalid' flag set. This bit is normally set only on post-dated tickets, which are timed to be valid at some point in the future but must be validated by the KDC before they can be used. This case does not occur often in practice.

A second case which can result in RXKADNOAUTH is when the caller presents a ticket whose start and end times do not appear valid. This can occur when the start time is later than the end time, or if the ticket expired more than 30 days in the past, is not valid until more than 30 days in the future, or has a lifetime longer than 30 days. Unless you have made a recent configuration change on your KDC, this case would indicate that either the KDC's or the server's clock is off by more than 30 days.

I'd suggest checking the clocks on all your servers.

-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
  Sr. Research Systems Programmer
  School of Computer Science - Research Computing Facility
  Carnegie Mellon University - Pittsburgh, PA

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to