[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)

Tue, 11 Dec 2012 05:51:06 -0800

I am trying to get Openafs 1.7.21 working on a Windows 7 machine. I followed the directions on http://wiki.openafs.org/WindowsEndUserQuickStartGuide/ and installed Heimdall and the Network Identity Manager from the links on that page.
Using the Identity Manager, I am able to get a Kerberos ticket but not an AFS token. If I use aklog from the command line, sometimes I get a token and sometimes I don't. WHen it does not work, the error is ERR_REPEAT (Request is a replay). 


A packet trace confirms this, and shows that this is also what happens every 
time I try it with Identity Manager.



Our KDC is using the principal a...@math.cornell.edu, not 
afs/math.cornell....@math.cornell.edu.  According to the packet trace, the 
client tries afs/math.cornell....@math.cornell.edu twice before falling back to 
a...@math.cornell.edu.  The first try is always rejected with PRINCIPAL_UNKNOWN. 
Sometimes the second try hits the same error, and sometimes it hits ERR_REPEAT, 
in which case the client gives up.  I assume there is a timing issue here, with 
the requests sometimes having the same timestamp.



So how can we fix this?  THe KDC is running MIT Kerberos 1.6 on Scientific 
Linux 5.  I read on the net that there have been some replay cache 
improvements since then, so a KDC upgrade is one option for trying to fix 
this, but I can't do that right away.



It seems to me that switching to afs/math.cornell....@math.cornell.edu is 
likely to fix the problem, but I am uncertain about how to do that without 
creating any service disruptions.  If I do this:


1. Create afs/math.cornell....@math.cornell.edu
2. Store the key in a keytab file
3. Use asetkey to add the key to the keyfile on each of the AFS servers


will it allow existing tokens that authenticated with a...@math.cornell.edu 
to still work?


Any other ideas?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to