Hi! I have a rather small and simple setup (based on the description in [1]) with two ubuntu file servers and a couple of clients. Because of the small setup I used to move configuration files around. Now I got scared by the message that 1.6.0 fileservers were unsafe to use [2] and upgraded the openafs installation on the ubuntu boxes to 1.6.1~pre1-1. This now works as good as before, but I think I'm seeing some timeouts especially using a 1.7.x windows client. But I still have to figure out if this is just a misconfiguration or a real problem.
Because while upgrading I added SRV entries for kerberos and openafs to my nameserver. Kerberos authentication just worked out of the box. As you might have guessed by now, getting access to afs wasn't working that easily. smith@ubuntuclient:~$ aklog aklog: Couldn't get mydomain.com AFS tickets: aklog: unknown RPC error (-1765328377) while getting AFS tickets smith@ubuntuclient:~$ aklog -d Authenticating to cell mydomain.com (server afsdb.home.mydomain.com). Trying to authenticate to user's realm MYDOMAIN.COM. Getting tickets: afs/[email protected] We've deduced that we need to authenticate using referrals. Getting tickets: afs/mydomain.com@ We've deduced that we need to authenticate to realm HOME.MYDOMAIN.COM. Getting tickets: afs/[email protected] Kerberos error code returned by get_cred : -1765328377 aklog: Couldn't get mydomain.com AFS tickets: aklog: unknown RPC error (-1765328377) while getting AFS tickets smith@ubuntuclient:~$ aklog -d mydomain.com -k MYDOMAIN.COM Authenticating to cell mydomain.com (server afsdb.home.mydomain.com). We were told to authenticate to realm MYDOMAIN.COM. Getting tickets: afs/[email protected] Getting tickets: afs/[email protected] Getting tickets: [email protected] Using Kerberos V5 ticket natively About to resolve name smith to id in cell mydomain.com. Id 20000 Set username to AFS ID 20000 Setting tokens. AFS ID 20000 @ mydomain.com The principal I used until now was [email protected] . Do I need to create a new principal afs/[email protected] and make afs use this one, to make the above work with just using aklog? Should I change user principals as well? Thanks, Alex [1] http://www.debian-administration.org/article/610/OpenAFS_installation_on_Debian [2] http://old.nabble.com/Re%3A-Timeouts-and-odd-behavior-with-1.6.0-file-servers-p33204316.html
