You want to use the afs/cell@REALM service principal form for the AFS service principal. As the Windows aklog is informing you, given the local Kerberos configuration and the version of Kerberos installed, aklog must use Kerberos referrals to request the AFS service ticket. What this means to you is that the Kerberos library configuration is unable to determine the Kerberos realm that is associated with the AFS cell. Therefore, it must rely upon the Kerberos KDC of the client principal to know the answer.
Why did you choose to create afs@REALM instead of afs/cell@REALM? If it is because of documentation you read on openafs.org, please point us to it so that the documentation can be corrected. No one should be creating new cells using the afs@REALM service principal names. There is nothing that needs to be done to your client principals. Jeffrey Altman On 1/31/2012 6:55 AM, Alexander Lazarević wrote: > Hi! > > I have a rather small and simple setup (based on the description in [1]) > with two ubuntu file servers and a couple of clients. Because of the > small setup I used to move configuration files around. Now I got scared > by the message that 1.6.0 fileservers were unsafe to use [2] and > upgraded the openafs installation on the ubuntu boxes to 1.6.1~pre1-1. > This now works as good as before, but I think I'm seeing some timeouts > especially using a 1.7.x windows client. But I still have to figure out > if this is just a misconfiguration or a real problem. > > Because while upgrading I added SRV entries for kerberos and openafs to > my nameserver. Kerberos authentication just worked out of the box. As > you might have guessed by now, getting access to afs wasn't working that > easily. > > smith@ubuntuclient:~$ aklog > > aklog: Couldn't get mydomain.com <http://mydomain.com> AFS tickets: > aklog: unknown RPC error (-1765328377) while getting AFS tickets > > smith@ubuntuclient:~$ aklog -d > > Authenticating to cell mydomain.com <http://mydomain.com> (server > afsdb.home.mydomain.com <http://afsdb.home.mydomain.com>). > Trying to authenticate to user's realm MYDOMAIN.COM <http://MYDOMAIN.COM>. > Getting tickets: afs/[email protected] > <mailto:[email protected]> > We've deduced that we need to authenticate using referrals. > Getting tickets: afs/mydomain.com@ > We've deduced that we need to authenticate to realm HOME.MYDOMAIN.COM > <http://HOME.MYDOMAIN.COM>. > Getting tickets: afs/[email protected] > <mailto:[email protected]> > Kerberos error code returned by get_cred : -1765328377 > aklog: Couldn't get mydomain.com <http://mydomain.com> AFS tickets: > aklog: unknown RPC error (-1765328377) while getting AFS tickets > > smith@ubuntuclient:~$ aklog -d mydomain.com <http://mydomain.com> -k > MYDOMAIN.COM <http://MYDOMAIN.COM> > > Authenticating to cell mydomain.com <http://mydomain.com> (server > afsdb.home.mydomain.com <http://afsdb.home.mydomain.com>). > We were told to authenticate to realm MYDOMAIN.COM <http://MYDOMAIN.COM>. > Getting tickets: afs/[email protected] > <mailto:[email protected]> > Getting tickets: afs/[email protected] > <mailto:[email protected]> > Getting tickets: [email protected] <mailto:[email protected]> > Using Kerberos V5 ticket natively > About to resolve name smith to id in cell mydomain.com > <http://mydomain.com>. > Id 20000 > Set username to AFS ID 20000 > Setting tokens. AFS ID 20000 @ mydomain.com <http://mydomain.com> > > The principal I used until now was [email protected] > <mailto:[email protected]> . Do I need to create a new principal > afs/[email protected] <mailto:[email protected]> and > make afs use this one, to make the above work with just using aklog? > Should I change user principals as well? > > Thanks, > Alex > > [1] > http://www.debian-administration.org/article/610/OpenAFS_installation_on_Debian > [2] > http://old.nabble.com/Re%3A-Timeouts-and-odd-behavior-with-1.6.0-file-servers-p33204316.html >
signature.asc
Description: OpenPGP digital signature
