Re: [OpenAFS] AFS server key change and windows clients unable to authenticate

Tue, 20 Dec 2005 12:40:07 -0800 

You want to use asetkey to add the new key but you should not remove
the old key until after all of the Kerberos service tickets using the
old key have expired.

Restarting the afs clients is unimportant.  What is important is
obtaining a Kerberos 5 service ticket with the new key.   If you already
have a Kerberos 5 service ticket, aklog will not obtain a new one.  It
will simply re-use the previous one to form a new afs token.

Jeffrey Altman


Tim Spriggs wrote:
> This isn't limited to windows clients as far as I can tell. I updated the
> keys for my servers yesterday. When I aklog'd I would get an error close
> to "unknown key". I don't remember the exact message.
> 
> Once I restart afs on the client machine, everything is fine for some
> reason.
> 
> For reference, I used asetkey to add the new key and remove the old key.
> 
> Thanks,
> -Tim
> 
>   /++--._.--++\  .                     _.-._
>        \|/                           /+
>         |       /|\  /| _.-._.-._   <{
>         +        |    |/         \   \_
>        /_\      _|_   |           |    ^=-._
>                                             \
> Lunar and Planetary Lab                     }>
> (520) 626 - 4991 -- SS 416                 _/
> _______________________________________.-=$/  <|>
> 
> 1629 E. University Blvd.
> University of Arizona
> 
> On Tue, 20 Dec 2005, Renata Maria Dart wrote:
> 
>> Hi, we upgraded our AFS server keys this morning and things went
>> smoothly for our unix clients, but we are seeing some problems with
>> authentication on our windows clients....windows users login to their
>> windows systems (some running OpenAFS 1.4.0, not sure what others are
>> running), the system says they have a token, but then a short time
>> later or maybe when they actually go to access a file in AFS, their
>> token gets discarded.  Any ideas about what is going on and what we
>> can do to get the windows people working again?  I should mention
>> that we are running kerberos 5 here as well, so the server key
>> update involved the KeyFile and the kdc.
>>
>> Thanks,
>>
>> Renata
>> _______________________________________________
>> OpenAFS-info mailing list
>> [email protected]
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
> 
> _______________________________________________
> OpenAFS-info mailing list
> [email protected]
> https://lists.openafs.org/mailman/listinfo/openafs-info
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to