On Fri, 07 Jan 2011 20:44:50 -0500 Jeff Blaine <[email protected]> wrote:
> > So, do you mean it works when you 'kinit; aklog', but you get an > > error when you login normally? (as in, using a password) Whether > > that be via ssh or whatever. > > What I've found is that any authentication to kaserver > ends up with a token that gets trashed/"discarded". > That is, I can run klog, seemingly get tokens fine, and > then they are discarded when I run the 'tokens' command. Oh, okay, kinit/aklog as opposed to klog. That makes more sense. > ~:cairo> touch file-in-home > touch: file-in-home cannot create > ~:cairo> echo tokens-are-bogus-but-listed > tokens-are-bogus-but-listed They're still there because such an error to one server doesn't necessarily mean all servers will give the same error. At least, I think that's the reasoning. > And here is all of our servers showing matching keys (key 17 > is the one ktadd made which we then asetkey'd): Yes, but that's the key for the krb5 setup. The kaserver setup will have a different service key and kvno (unless you did something special to synchronize them). Did you perhaps the key that kaserver was using from the KeyFile to make room for the new krb5 key? 'kas examine' can tell you the kvno for the afs service key in the kadb. If it's not in the KeyFile on your servers, well, there you go. > % for i in sonia shiva svetlana ur bunky canaan ephesus > babylon; do bos listkeys $i | grep 'key 17'; done > key 17 has cksum 1172998608 Obfuscated cksum, right? -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
