Upgrading your AFS principal from afs@ to afs/math.cornell.edu@ will fix this problem and shorten the time it takes all AFS clients to obtain afs tokens.
On Tuesday, December 11, 2012 8:50:03 AM, Steve Gaarder wrote: > I am trying to get Openafs 1.7.21 working on a Windows 7 machine. I > followed the directions on > http://wiki.openafs.org/WindowsEndUserQuickStartGuide/ > and installed Heimdall and the Network Identity Manager from the links > on that page. > > Using the Identity Manager, I am able to get a Kerberos ticket but not > an AFS token. If I use aklog from the command line, sometimes I get a > token and sometimes I don't. WHen it does not work, the error is > ERR_REPEAT (Request is a replay). > > A packet trace confirms this, and shows that this is also what happens > every time I try it with Identity Manager. > > Our KDC is using the principal [email protected], not > afs/[email protected]. According to the packet trace, > the client tries afs/[email protected] twice before > falling back to [email protected]. The first try is always > rejected with PRINCIPAL_UNKNOWN. Sometimes the second try hits the > same error, and sometimes it hits ERR_REPEAT, in which case the client > gives up. I assume there is a timing issue here, with the requests > sometimes having the same timestamp. > > So how can we fix this? THe KDC is running MIT Kerberos 1.6 on > Scientific Linux 5. I read on the net that there have been some > replay cache improvements since then, so a KDC upgrade is one option > for trying to fix this, but I can't do that right away. > > It seems to me that switching to afs/[email protected] > is likely to fix the problem, but I am uncertain about how to do that > without creating any service disruptions. If I do this: > > 1. Create afs/[email protected] > 2. Store the key in a keytab file > 3. Use asetkey to add the key to the keyfile on each of the AFS servers > > will it allow existing tokens that authenticated with > [email protected] to still work? > > Any other ideas? > > thanks, > > Steve Gaarder > System Administrator, Dept of Mathematics > Cornell University, Ithaca, NY, USA > [email protected] > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info
signature.asc
Description: OpenPGP digital signature
