I am trying to get Openafs 1.7.21 working on a Windows 7 machine. I followed
the directions on http://wiki.openafs.org/WindowsEndUserQuickStartGuide/
and installed Heimdall and the Network Identity Manager from the links on that
page.
Using the Identity Manager, I am able to get a Kerberos ticket but not an AFS
token. If I use aklog from the command line, sometimes I get a token and
sometimes I don't. WHen it does not work, the error is ERR_REPEAT (Request is
a replay).
A packet trace confirms this, and shows that this is also what happens every
time I try it with Identity Manager.
Our KDC is using the principal [email protected], not
afs/[email protected]. According to the packet trace, the
client tries afs/[email protected] twice before falling back to
[email protected]. The first try is always rejected with PRINCIPAL_UNKNOWN.
Sometimes the second try hits the same error, and sometimes it hits ERR_REPEAT,
in which case the client gives up. I assume there is a timing issue here, with
the requests sometimes having the same timestamp.
So how can we fix this? THe KDC is running MIT Kerberos 1.6 on Scientific
Linux 5. I read on the net that there have been some replay cache
improvements since then, so a KDC upgrade is one option for trying to fix
this, but I can't do that right away.
It seems to me that switching to afs/[email protected] is
likely to fix the problem, but I am uncertain about how to do that without
creating any service disruptions. If I do this:
1. Create afs/[email protected]
2. Store the key in a keytab file
3. Use asetkey to add the key to the keyfile on each of the AFS servers
will it allow existing tokens that authenticated with [email protected]
to still work?
Any other ideas?
thanks,
Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
[email protected]
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
