Re: [OpenAFS] False replay error with 1.7 on Win 7 client (fwd)

Tue, 11 Dec 2012 07:41:04 -0800 

Upgrading your AFS principal from afs@ to afs/math.cornell.edu@ will 
fix this problem
and shorten the time it takes all AFS clients to obtain afs tokens.

On Tuesday, December 11, 2012 8:50:03 AM, Steve Gaarder wrote:
> I am trying to get Openafs 1.7.21 working on a Windows 7 machine.  I
> followed the directions on
> http://wiki.openafs.org/WindowsEndUserQuickStartGuide/
> and installed Heimdall and the Network Identity Manager from the links
> on that page.
>
> Using the Identity Manager, I am able to get a Kerberos ticket but not
> an AFS token.  If I use aklog from the command line, sometimes I get a
> token and sometimes I don't.  WHen it does not work, the error is
> ERR_REPEAT (Request is a replay).
>
> A packet trace confirms this, and shows that this is also what happens
> every time I try it with Identity Manager.
>
> Our KDC is using the principal a...@math.cornell.edu, not
> afs/math.cornell....@math.cornell.edu.  According to the packet trace,
> the client tries afs/math.cornell....@math.cornell.edu twice before
> falling back to a...@math.cornell.edu.  The first try is always
> rejected with PRINCIPAL_UNKNOWN. Sometimes the second try hits the
> same error, and sometimes it hits ERR_REPEAT, in which case the client
> gives up.  I assume there is a timing issue here, with the requests
> sometimes having the same timestamp.
>
> So how can we fix this?  THe KDC is running MIT Kerberos 1.6 on
> Scientific Linux 5.  I read on the net that there have been some
> replay cache improvements since then, so a KDC upgrade is one option
> for trying to fix this, but I can't do that right away.
>
> It seems to me that switching to afs/math.cornell....@math.cornell.edu
> is likely to fix the problem, but I am uncertain about how to do that
> without creating any service disruptions.  If I do this:
>
> 1. Create afs/math.cornell....@math.cornell.edu
> 2. Store the key in a keytab file
> 3. Use asetkey to add the key to the keyfile on each of the AFS servers
>
> will it allow existing tokens that authenticated with
> a...@math.cornell.edu to still work?
>
> Any other ideas?
>
> thanks,
>
> Steve Gaarder
> System Administrator, Dept of Mathematics
> Cornell University, Ithaca, NY, USA
> gaar...@math.cornell.edu
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to