Ulrich Eck wrote:
hi there,
we have a small AFS-Cell using MIT-KRB5+524d on several debian/linux
machines.
after upgrading one of the openafs-clients (debian) to v1.4.1 + new
kernel-modules
we're not able to access the afs-cell from this system.
there seems to be a difference between v1.3.81 (used on our
fileservers/other clients) and
the new v1.4.1 in respect to what service-ticket aklog requests.
on a working machine it requests a service-ticket for [EMAIL PROTECTED]
with the new
version it requests afs/[EMAIL PROTECTED] i tried to create a
principal afs/[EMAIL PROTECTED] in our kdc - but i didn't have success
as the kvno of the newly created principal does not match the
server-config.
Not sure what you mean by server-config.
But the /usr/afs/KeyFile on the servers only have des keys and key
version numbers. It can not check which key belongs to
which principal. So as long as the kvno's are different on
the principals for afs/[EMAIL PROTECTED] and [EMAIL PROTECTED]
you can add both keys to the KeyFile.
i get this error-message in the syslog of the client:
kernel: afs: Tokens for user of AFS id XXX for cell cellname are
discarded (rxkad error=19270408)
~$ translate_et 19270408
19270408 (rxk).8 = ticket contained unknown key version number
so my question(s):
is it possible to tell aklog to behave like it did before the upgrade
(ergo request the [EMAIL PROTECTED] ticket) ?
So it would not mater.
if not: can i tell the afs-cell to accept more than one service-ticket
([EMAIL PROTECTED] and afs/[EMAIL PROTECTED]) and if yes - how would i do
so ?
Yes, see above.
thanks in advance for any suggestions/help
cheers Ulrich
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
