Garrison, Eric C wrote:
Quoting Jeffrey Altman <jalt...@secure-endpoints.com>:
Eric Chris Garrison wrote:
...but as ecgar...@ads.iu.edu:
Wed Jul 1 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR
AFS_SRX_StData
Wed Jul 1 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth--
HOST 149.166.144.33 ID 32766 FID 536870933:2:2
So the ADS.IU.EDU user is showing as unauthorized? Strange that if I
create a file, its UNIX permissions show as owned by ecgarris though.
I would also verify that the keytabs that you are using are in fact
correct. You can do so using the MIT Kerberos kvno command. Obtain a
TGT for ecgar...@ads.iu.edu and then issue:
kvno -k <keytab> afs/afstest.iu....@ads.iu.edu
Your Rx connection is unauthenticated. That means that
(a) either you do not have an AFS token
(b) the token contains a kvno that is not recognized by the AFS server
(c) the token is bad in some other way
Could be the keys don't match.
Looks like AD is giving you a ticket with AES! Must be W2008 server,
and you did not specify des-only with ktpass for the AFS key.
How did you create the AD entry and key? Using ktpass?
Is it DES only?
How did you add the key to the AFS key file in the servers?
If you have problems, with ktpass, there is a version of msktutil
that will work with Windows 2008.
http://download.systemimager.org/~finley/msktutil/
(Finley is here at ANL.)
On Windows using the MIT KFW klist command, what does "klist -e" show
when you have an afs/afstest.iu....@ads.iu.edu service ticket in the
cache?
I have done an "aklog -c afstest.iu.edu" giving the following output for
"tokens":
Tokens held by the Cache Manager:
User's (AFS ID 37302) tokens for a...@afstest.iu.edu [Expires Jul 9 00:53]
--End of list--
The kvno command comes back with the right kvno, as seen by ktutil for
the keytab, just
as it was when I added it with astekey.
Here's what "klist -e" says:
Default principal: ecgar...@ads.iu.edu
Valid starting Expires Service principal
07/08/09 14:53:40 07/09/09 00:53:44 krbtgt/ads.iu....@ads.iu.edu
renew until 07/09/09 14:53:40, Etype (skey, tkt): AES-256 CTS mode
with 96-bit
SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
07/08/09 14:53:56 07/09/09 00:53:44 afs/afstest.iu....@ads.iu.edu
renew until 07/09/09 14:53:40, Etype (skey, tkt): AES-256 CTS mode
with 96-bit
SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
The AFS tickets and keys must be DES today. Your server must be W2008.
So what else should I look for in the token being bad in another way?
Thanks again,
Chris
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
