Jean-Fabrice <[EMAIL PROTECTED]> writes: > Here at work, we're trying to set up our first openafs fileserver > under debian stable, sparc64, kernel 2.6.16.18 > The openafs server suite is fully taken from debian stable repository, > while openafs-modules sources is 1.4.2~fc2 taken from unstable since > stable is only 1.3.81 and does not support sparc64 2.6 kernel.
> I followed the guide located at > http://www.debianplanet.org/node.php?id=816 and my problems begins > with 'fs setacl /afs system:anyuser rl'. > The error is : "fs: You don't have the required access rights on '/afs'" That's pretty much equivalent to the scripts that come with the OpenAFS package, but either way I think you'd still have problems given what you have below: > When I issue 'fs la /afs', I got this in logfile : > 2.079415] afs: Tokens for user of AFS id 1 for cell ral.admin are > discarded (rxkad error=19270410) > translate_et 19270410 says "sealed data inconsistent". Could this be > due to the fact that I'm using 1.4.2fc2 client against a 1.3.81 > fileserver ? No, I'd be more inclined to suspect that what you have in your OpenAFS KeyFile and what's in your KDC database doesn't match, either in key or in kvno. When you did the asetkey, what did you use for the kvno? The instructions you followed aren't as comprehensive as the ones that come with the OpenAFS package about exactly how to do that. Compare bos listkeys with kadmin getprinc on the afs principal. (Hm, I forget how to do the bos listkeys equivalent without having authentication working with bosserver but without restarting it with -noauth.) > while investigating, I found that 'aklog' produces the following in > krb5kdc.log : > Sep 25 11:43:18 ralingwb06 krb5kdc[14155](info): TGS_REQ (1 etypes > {1}) 172.24.0.8: UNKNOWN_SERVER: authtime 1159177388, [EMAIL PROTECTED] > for afs/[EMAIL PROTECTED], Server not found in Kerberos database > Sep 25 11:43:18 ralingwb06 krb5kdc[14155](info): TGS_REQ (1 etypes > {1}) 172.24.0.8: ISSUE: authtime 1159177388, etypes {rep=16 tkt=1 > ses=1}, [EMAIL PROTECTED] for [EMAIL PROTECTED] aklog tries afs/[EMAIL PROTECTED] first since that's the recommended principal name (and allows such things as multiple cells with one realm). So the above is normal given that you used the old principal name format. > The "server not found" sounds strange.. Are this two lines related to > the same authentication ? I mean, does aklog first try > afs/[EMAIL PROTECTED] which fails and then [EMAIL PROTECTED] which > successes ? Right. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
