On Tue, Sep 07, 2021 at 04:30:41PM +0200, Andreas Hirczy wrote: > Hi! > > I recently tried to rekey our AFS - at last - following the ´basic > procedure´ from https://www.openafs.org/pages/security/how-to-rekey.txt > and https://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt. My > setup runs OpenAFS 1.8.5 and MIT Kerberos 1.17-3 on Debian. > > Afterwards obtaining tokens with aklog failed with error code 19270408 > (ticket contained unknown key version number): > > | $ aklog > | afs: Tokens for user of AFS id 997 for cell itp.tugraz.at: rxkad > error=19270408 (server 129.27.161.138) > | afs: Tokens for user of AFS id 997 for cell itp.tugraz.at: rxkad > error=19270408 (server 129.27.161.139) > | afs: Tokens for user of AFS id 997 for cell itp.tugraz.at are discarded > (rxkad error=19270408,server 129.27.161.95) > > I'm not sure whether I should run "akeyconvert" after copying the > Kerberos keytab to the servers? In my opinion we should have a file > /etc/openafs/server/KeyFileExt, but it's not mentioned in the > docs.
That sounds like your kerberos KDC is issuing tickets using a newer service key that the AFS server (the ptserver, specifically, in this case) hasn't learned about yet. Running akeyconvert after copying the keytab should do the trick. You may need to `touch` the (server) CellServDB file after that in order to get the change picked up; I forget if the KeyFileExt is on the list of files that are watched in 1.8.5. -Ben _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
