After working the problem with Jeffrey Altman and Douglas Engert as well
as Derrick Brashear offline, here's what I was doing wrong:
1) The afs/lionstest.odu.edu key was using the wrong salt... I fixed
this by removing all instances of afs/lionstest.odu.edu from the keytab
and from AFS (using asetkey delete) and replaced them with the proper
one, then recycled the server:
kadmin: addprinc -randkey -e "des-cbc-crc:v4" afs/lionstest.odu.edu
kadmin: ktadd -e "des-cbc-crc:v4" afs/lionstest.odu.edu
# klist -k -e -t -K|grep afs
3 11/12/2008 15:43 afs/[email protected] (DES cbc mode
with CRC-32) (0xb58c6e5e0d0b8f54)
# asetkey add 3 /etc/krb5/krb5.keytab afs/lionstest.odu.edu
# asetkey list
kvno 3: key is: b58c6e5e0d0b8f54
All done.
2) Because I'm using a Kerberos realm name which does not match the AFS
cell name, I had to enter that realm into the following two files and
recycle the AFS server and client:
/usr/vice/etc/krb.conf # for the client
/usr/afs/etc/krb.conf # for the server
Once this was done, it worked!
# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for [email protected]
<mailto:[email protected]> [Expires Dec 12 01:58]
--End of list--
# fs setacl /afs system:anyuser rl
# fs listacl /afs
Access list for /afs is
Normal rights:
system:administrators rlidwka
system:anyuser rl
#
Thanks for all of you - you're the greatest!
--
Tony D'Amato, SCSA (it's Exchange that puts "Nicholas" there)
Senior UNIX Systems Administrator
Server Support Group, OCCS
Old Dominion University
