Hello Russ, the key was created on KDC with: addprinc -policy service -randkey -e des-cbc-crc:v4 afs from kadmin.local
as far as i understand it defines ony des for communication? i did not modify a key - this is my first afs installation and i was just folloing the howto. how do I check if aklog is using the right keyfile? I have also tried to get some help through IRC, but unfortunately, the only person who tried to help me, didn't have much time. this is a log http://www.ece.cmu.edu/~allbery/lambdabot/logs/openafs/2008-12-26.txt. my nick is n-other in this talk. is there anything useful can be found from this log to help me with the problem? 2008/12/27 Russ Allbery <[email protected]>: > "Roman Hlynovskiy" <[email protected]> writes: > >> I am trying to implement openafs to a couple of servers according to >> this guide: http://www.debian-administration.org/articles/610 >> >> afs-newcell >> goes fine >> kinit root/admin; aklog >> also ok >> >> but afs-rootvol >> fails on fs sa /afs system:anyuser rl >> with >> fs sa /afs system:anyuser rl >> fs: You don't have the required access rights on '/afs' >> Failed: 256 >> >> at the same time openafs module dumps the following line to dmesg: >> afs: Tokens for user of AFS id 0 for cell forever.kz are discarded >> (rxkad error=19270407) > > windlord:~> translate_et 19270407 > 19270407 (rxk).7 = security object was passed a bad ticket > > Chances are fairly high that this error message means that your AFS server > disagrees with your Kerberos server about the afs/* key. In other words, > what you have in the KeyFile for your AFS server doesn't match what's in > the KDC, either in the key or in the kvno. Possible causes: > > * The key in the KDC is not restricted to only a DES enctype. > > * You've changed the KDC key (such as with a subsequent kadmin addkey > command) since you imported the key into the AFS KeyFile with asetkey. > > * You specified the wrong kvno in the asetkey command. > > * You have both an afs key and an afs/<cell> key in Kerberos and aklog > isn't using the one that you expect it to use. > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> > -- ...WBR, Roman Hlynovskiy _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
