Alexander got this 16 hours ago, but you list subscribers did not due to an issue with the list server. Here is it for posterity.
---------- Forwarded message ---------- From: Derrick Brashear <[email protected]> Date: Tue, Jan 31, 2012 at 7:44 AM Subject: Re: [OpenAFS] Principal [email protected] vs. afs/[email protected] ? To: Alexander Lazarević <[email protected]> Cc: [email protected] If you do decide to change principal names (and afs/cell@ is recommaned) know that you just need to rename the principal in your KDC. The key will stay the same, and the AFS KeyFile doesn't care about the principal name, only the key itself... which won't have changed. That it works this way is an accident of the structuring of the principal finding code in aklog; you can avoid changing the name if you don't want to based on what's in the host to realm mappings in your krb5.conf. But given you can't control the krb5.confs on every machine, nor their aklogs, it's probably best to just change the principal name. On Tue, Jan 31, 2012 at 6:55 AM, Alexander Lazarević <[email protected]> wrote: > Hi! > > I have a rather small and simple setup (based on the description in [1]) > with two ubuntu file servers and a couple of clients. Because of the small > setup I used to move configuration files around. Now I got scared by the > message that 1.6.0 fileservers were unsafe to use [2] and upgraded the > openafs installation on the ubuntu boxes to 1.6.1~pre1-1. This now works as > good as before, but I think I'm seeing some timeouts especially using a > 1.7.x windows client. But I still have to figure out if this is just a > misconfiguration or a real problem. > > Because while upgrading I added SRV entries for kerberos and openafs to my > nameserver. Kerberos authentication just worked out of the box. As you might > have guessed by now, getting access to afs wasn't working that easily. > > smith@ubuntuclient:~$ aklog > > aklog: Couldn't get mydomain.com AFS tickets: > aklog: unknown RPC error (-1765328377) while getting AFS tickets > > smith@ubuntuclient:~$ aklog -d > > Authenticating to cell mydomain.com (server afsdb.home.mydomain.com). > Trying to authenticate to user's realm MYDOMAIN.COM. > Getting tickets: afs/[email protected] > We've deduced that we need to authenticate using referrals. > Getting tickets: afs/mydomain.com@ > We've deduced that we need to authenticate to realm HOME.MYDOMAIN.COM. > Getting tickets: afs/[email protected] > Kerberos error code returned by get_cred : -1765328377 > aklog: Couldn't get mydomain.com AFS tickets: > aklog: unknown RPC error (-1765328377) while getting AFS tickets > > smith@ubuntuclient:~$ aklog -d mydomain.com -k MYDOMAIN.COM > > Authenticating to cell mydomain.com (server afsdb.home.mydomain.com). > We were told to authenticate to realm MYDOMAIN.COM. > Getting tickets: afs/[email protected] > Getting tickets: afs/[email protected] > Getting tickets: [email protected] > Using Kerberos V5 ticket natively > About to resolve name smith to id in cell mydomain.com. > Id 20000 > Set username to AFS ID 20000 > Setting tokens. AFS ID 20000 @ mydomain.com > > The principal I used until now was [email protected] . Do I need to create a > new principal afs/[email protected] and make afs use this one, to > make the above work with just using aklog? Should I change user principals > as well? > > Thanks, > Alex > > [1] > http://www.debian-administration.org/article/610/OpenAFS_installation_on_Debian > [2] > http://old.nabble.com/Re%3A-Timeouts-and-odd-behavior-with-1.6.0-file-servers-p33204316.html > -- Derrick -- Derrick _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
