[OpenAFS] rxk: ticket contained unknown key version number error
I am trying to build a new openafs file server. I have been following the instructions in the Quick Start Guide and some other guides on the internet. I have gotten to the point of trying to create the root.afs via the following command: vos create userv.slug.home /vicepa root.afs -cell slug.home When I do this it returns the following messages: Could not fetch the list of partitions from the server rxk: ticket contained unknown key version number rxk: ticket contained unknown key version number I have not found any great detailed instructions on the kerberos configuration and thus, this is how I setup the Kerberos principals for this server - I am guessing something is wrong in this sequence of steps. 1.# kadmin.local 1. addprinc afsadmin 2. addprinc -randkey afs/slug.home 2.Now lets export the afs key to a file and copy over to the afs server. So still from within kadmin.local 1. ktadd -k /tmp/afs.keytab afs/slug.home 2. getprinc afs/slug.home 1.This command will provide some output. We are looking for the Key: vno # section of the output. The # section will be a number. Remember that we will need it in next set of steps. 3.Copy file to your afs server. I put the file in /etc/openafs/ 4.Add the key to the AFS server. 1.# asetkey add # /etc/openafs/afs.keytab afs/slug.home Thanks in advance for your help. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Is AFS suitable for this scenario?
Hello, first of all I want to thank everyone on the list for their time in reading this message. I am looking for a high availability and backup solution for the files stored on a server of the company where I work. At the moment we have all files on a single production server which is operated via ssh. Let's call it server A Actually this server exports via NFS a directory on 6 more servers that perform reads and writes on the exported directory through a rails application. All machines are running Debian Sarge and are operated remotely via ssh. First of all I want to implement an instant replication solution in another machine. Next step would be that if server A falls server B could take his place and that should be transparent to the rails app. Can I use AFS for this tasks?, what steps do you think are important to achieve this goals? Thanks again for your time. Jacobo García López de Araujo. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Hello! I've been trying to get OpenAFS 1.4.2 to work with Microsoft Active Directory (AD) 2003 as KDC for some week now, and I starting to believe I should have went on that early vaccation after all. I just can't get it to work. It ends at: 19270407 = security object was passed a bad ticket I have a lab environment consisting of an AD (lab.scania.com) and one AFS server/cell. (cellname: sss.se.scania.com, servername: vmware01.scania.com) I have verified that the OpenAFS works by setting up a MIT kerberos 5 server in parallell (separate server) and successfully authenticatded and can access read,write files in my AFS directory. But swapping to the AD gives no luck whatsoever: This is what it ends up to. (On AD side) C:\ktpass -out afs-keytab-des-cbc-md5 -princ afs/[EMAIL PROTECTED] -mapuser afs -crypto DES-CBC-MD5 -pass * Targeting domain controller: SeSoCoLab11.scania.se Successfully mapped afs/sss.se.scania.com to afs. Type the password for afs/sss.se.scania.com: Type the password again to confirm: WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to afs-keytab-des-cbc-md5: Keytab version: 0x502 keysize 63 afs/[EMAIL PROTECTED] ptype 0 (KRB5_NT_UNKNOWN) vno 7 etype 0x3 (DES-CBC-MD5) keylength 8 (0xd0d352801964ad19) (I email this file to my RedHat ES4 linux server, vmware01, that also hold the AFS-server) I now add the key: [EMAIL PROTECTED] ~]# asetkey add 7 afs-keytab-des-cbc-md5 afs/sss.se.scania.com [EMAIL PROTECTED] ~]# asetkey list kvno0: key is: e9d6f2e068d97386 kvno7: key is: d0d352801964ad19 --- I now clean up any old tickets/tokens: [EMAIL PROTECTED] ~]# unlog [EMAIL PROTECTED] ~]# kdestroy --- I get my ticket - using my AD password: [EMAIL PROTECTED] ~]# kinit -V sssler Password for [EMAIL PROTECTED]: Authenticated to Kerberos v5 [EMAIL PROTECTED] ~]# klist -e -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 01/03/07 12:12:21 01/03/07 22:12:11 krbtgt/[EMAIL PROTECTED] renew until 01/04/07 12:12:21, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5 --- I successfully aklog [EMAIL PROTECTED] ~]# aklog -d Authenticating to cell sss.se.scania.com (server vmware01.sss.se.scania.com). We've deduced that we need to authenticate to realm LAB.SCANIA.COM. Getting tickets: afs/[EMAIL PROTECTED] Using Kerberos V5 ticket natively About to resolve name sssler to id in cell sss.se.scania.com. Id 4067 Set username to AFS ID 4067 Setting tokens. AFS ID 4067 / @ LAB.SCANIA.COM [EMAIL PROTECTED] ~]# tokens Tokens held by the Cache Manager: User's (AFS ID 4067) tokens for [EMAIL PROTECTED] [Expires Jan 3 22:30] --End of list-- [EMAIL PROTECTED] ~]# klist -e -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 01/03/07 12:30:37 01/03/07 22:30:34 krbtgt/[EMAIL PROTECTED] renew until 01/04/07 12:30:37, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 01/03/07 12:30:36 01/03/07 22:30:34 afs/[EMAIL PROTECTED] renew until 01/04/07 12:30:37, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5 --- from here I think I should be able to touch a file in my home directory, which I can do if I use MIT kerberos), but it fails with permission denied. $ touch /afs/sss.se.scania.com/home/sssler touch: cannot touch `/afs/sss.se.scania.com/home/sssler/foobar': Permission denied $ tail /var/log/messages ... Jan 3 10:59:49 vmware01 kernel: afs: Tokens for user of AFS id 4067 for cell sss.se.scania.com are discarded (rxkad error=19270407) Basically, this is what I have done on the AD side: * Created the user afs (afs/sss.se.scania.com) and set the options in the Account tab: [Account is sensitive and cannot be delegated] [use DES encryption types] [Password never expires] [Do not require Kerberos preauthentication] * I have set in the Delegation tab [Trust user for delegation to any Service (Kerberos only)] This is my /etc/krb5.conf [libdefaults] default_realm = LAB.SCANIA.COM dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 [realms] LAB.SCANIA.COM = { kdc = sesoco0206.scania.com default_domain = scania.com } [domain_realm] .scania.se = LAB.SCANIA.COM scania.se = LAB.SCANIA.COM .scania.com = LAB.SCANIA.COM scania.com = LAB.SCANIA.COM [appdefaults] kinit = { renewable = true forwardable= true } What am I doing wrong as it seems it should be fairly straight forward? /Erik Lönroth
Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Have you set the authentication realm the AFS server's krb.conf file to LAB.SCANIA.COM ? Jeffrey Altman P.S. In your krb5.conf file, don't do this: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Is AFS suitable for this scenario?
On Wed, 3 Jan 2007, Jacobo Garc�a wrote: First of all I want to implement an instant replication solution in another machine. AFS does not provide instant replication service. Next step would be that if server A falls server B could take his place and that should be transparent to the rails app. AFS does not provide hot-standby or failover. Can I use AFS for this tasks?, what steps do you think are important to achieve this goals? Perhaps you should stay with your NFS and have a look at drbd. Chris -- TU Chemnitz, Informatik, VSR | Chemnitzer Linux-Tage 2007, 3.-4. Maerz Str. d. Nationen 62, B204| http://chemnitzer.linux-tage.de D-09107 Chemnitz| +49 371 531-31118, Fax -831118 | http://www.huebsch-gemacht.de - weblog
Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Am Mittwoch, 3. Januar 2007 14:29 schrieb ext Jeffrey Altman: P.S. In your krb5.conf file, don't do this: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 Is this a general recommendation or only for Erik? Can you give some background info? Thanx... Dirk -- Dirk Heinrichs | Tel: +49 (0)162 234 3408 Configuration Manager | Fax: +49 (0)211 47068 111 Capgemini Deutschland | Mail: [EMAIL PROTECTED] Hambornerstraße 55 | Web: http://www.capgemini.com D-40472 Düsseldorf | ICQ#: 110037733 GPG Public Key C2E467BB | Keyserver: www.keyserver.net pgplAifNVqoEk.pgp Description: PGP signature
Re: [OpenAFS] Is AFS suitable for this scenario?
On Wed, 3 Jan 2007, Chris Huebsch wrote: AFS does not provide hot-standby or failover. Perhaps I should clearify that a little bit. In some special cases, AFS can do that too. But it requires that those Data is strictly read-only. This read-only data has to be created from read-write data (this is called release in AFS-speak). This process takes some time, so it is neither recommended nor feasible to do that release in very short intervals. Chris -- TU Chemnitz, Informatik, VSR | Chemnitzer Linux-Tage 2007, 3.-4. Maerz Str. d. Nationen 62, B204| http://chemnitzer.linux-tage.de D-09107 Chemnitz| +49 371 531-31118, Fax -831118 | http://www.huebsch-gemacht.de - weblog ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Dirk Heinrichs wrote: Am Mittwoch, 3. Januar 2007 14:29 schrieb ext Jeffrey Altman: P.S. In your krb5.conf file, don't do this: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 Is this a general recommendation or only for Erik? Can you give some background info? Thanx... Dirk You *almost* never want to specify default_tkt_enctypes or default_tgs_enctypes. Doing so prevents the client from being able to handle stronger ticket types when the KDC wants to issue them. If you need to restrict a ticket enctype for a service such as AFS you do so by limiting the enctypes for which that service principal has keys in the Kerberos Database. For AFS, there should only be single DES keys associated with the service principal in MIT or Heimdal. In Active Directory, the use DES only flag should be set. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
I believe I have... My file looks like this. Can I be sure this is OK? In my missery I can't trust anything at the moment. [EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf LAB.SCANIA.COM LAB.SCANIA.COM sesocolab11.scania.com I have also looked in AD to se the Service principal binding (Is this right?) : C:\setspn -A afs/sss.se.scania.com afs Registering ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=s cania,DC=com afs/sss.se.scania.com Updated object C:\setspn -L afs Registered ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=sc ania,DC=com: afs/sss.se.scania.com HOST/afs HOST/afs.LAB /Erik -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED] Sent: Wed 1/3/2007 2:29 PM To: Lönroth Erik Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arg Have you set the authentication realm the AFS server's krb.conf file to LAB.SCANIA.COM ? Jeffrey Altman P.S. In your krb5.conf file, don't do this: default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5
Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Lönroth Erik wrote: I believe I have... My file looks like this. Can I be sure this is OK? In my missery I can't trust anything at the moment. [EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf LAB.SCANIA.COM LAB.SCANIA.COM sesocolab11.scania.com This is fine. Although the second line is not used by AFS so you can remove it. Did you restart the AFS servers after setting this value? I have also looked in AD to se the Service principal binding (Is this right?) : C:\setspn -A afs/sss.se.scania.com afs Registering ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=s cania,DC=com afs/sss.se.scania.com Updated object C:\setspn -L afs Registered ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=sc ania,DC=com: afs/sss.se.scania.com HOST/afs HOST/afs.LAB That is fine. RXKADBADTICKET can be generated if the clocks between AFS and AD are not synchronized. Are they? Jeffrey Altman ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
OK, I believe have resolved the problem now after 5 whole days of trial and error. It turns out that using the KTPASS native from Active Directory generates keys that is not liked by AFS. I instead used ktutil.exe (for windows) to generate my key that I then imported as usual into AFS. On Microsoft AD side: ktutil ktutil: addent -password -p afs/[EMAIL PROTECTED] -k 9 -e des-cbc-crc ktutil: wkt ./keytab.file ktutil: quit This file is then copied to linux and imported exactly as I would normally: asetkey add 9 keytab.file afs/sss.se.scania.com Now - everything works kinit sssler aklog touch /afs/sss.se.scania.com/home/sssler/somefile ls /afs/sss.se.scania.com/home/sssler/somefile /afs/sss.se.scania.com/home/sssler/somefile Success! I verified this by behaviour - AGAIN - by using the KTPASS.EXE (without changing anything else) and importing the key with asetkey as normal. C:\ktpass -out afs-keytab-md5-verify -princ afs/[EMAIL PROTECTED] -mapuser afs -crypto DES-CBC-CRC -pass * Targeting domain controller: SeSoCoLab11.scania.se Successfully mapped afs/sss.se.scania.com to afs. Type the password for afs/sss.se.scania.com: Type the password again to confirm: WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to afs-keytab-md5-verify: Keytab version: 0x502 keysize 63 afs/[EMAIL PROTECTED] ptype 0 (KRB5_NT_UNKNOWN) vno 9 etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e) (Again publishing the key to the whole world ;-) ... and - using this key in AFS - I get the same error again : rxkad error=19270407 I swapped back again to the key generated by ktutil.exe - and it works again. It seems that using the KTPASS.EXE generates bogus keys for me! I have not read this anywhere and I have read pretty much everyting, did I miss something critical here or is this a bug/feature? /Erik -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED] Sent: Wed 1/3/2007 3:16 PM To: Lönroth Erik Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arg Lönroth Erik wrote: I believe I have... My file looks like this. Can I be sure this is OK? In my missery I can't trust anything at the moment. [EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf LAB.SCANIA.COM LAB.SCANIA.COM sesocolab11.scania.com This is fine. Although the second line is not used by AFS so you can remove it. Did you restart the AFS servers after setting this value? I have also looked in AD to se the Service principal binding (Is this right?) : C:\setspn -A afs/sss.se.scania.com afs Registering ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=s cania,DC=com afs/sss.se.scania.com Updated object C:\setspn -L afs Registered ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=sc ania,DC=com: afs/sss.se.scania.com HOST/afs HOST/afs.LAB That is fine. RXKADBADTICKET can be generated if the clocks between AFS and AD are not synchronized. Are they? Jeffrey Altman
Re: [OpenAFS] Problem building openafs on kernel 2.6.18.2-34-default
Sorry...I have been offline for a while. Here it is the section of the config.log regarding rlim: configure:11102: checking for rlim in struct task_struct configure:11133: make -C $LINUX_KERNEL_PATH M=`pwd`/conftest.dir modules /dev/null /home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.c: In function 'conftest': /home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.c:7: error: 'struct task_struct' has no member named 'rlim' make[1]: *** [/home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.o] Error 1 make: *** [_module_/home/cerminar/io/installazione/openafs-1.5.12/conftest.dir] Error 2 configure:11136: $? = 2 configure:11211: result: no configure:11214: checking for signal-rlim in struct task_struct configure:11245: make -C $LINUX_KERNEL_PATH M=`pwd`/conftest.dir modules /dev/null /home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.c: In function 'conftest': /home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.c:7: warning: format '%d' expects type 'int', but argument 2 has type 'struct rlimit *' /home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.c:7: warning: '_tsk.signal' is used uninitialized in this function /bin/sh: scripts/mod/modpost: No such file or directory make[1]: *** [__modpost] Error 127 make: *** [modules] Error 2 configure:11248: $? = 2 configure:11323: result: no configure:11326: checking for exit_state in struct task_struct configure:11357: make -C $LINUX_KERNEL_PATH M=`pwd`/conftest.dir modules /dev/null /home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.c: In function 'conftest': /home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.c:7: warning: format '%d' expects type 'int', but argument 2 has type 'long int' /home/cerminar/io/installazione/openafs-1.5.12/conftest.dir/conftest.c:7: warning: '_tsk.exit_state' is used uninitialized in this function /bin/sh: scripts/mod/modpost: No such file or directory make[1]: *** [__modpost] Error 127 make: *** [modules] Error 2 configure:11360: $? = 2 configure:11435: result: no If this is not enough I'll try to use the suggested patch. Cheers, G Russ Allbery wrote: Gianluca Cerminara [EMAIL PROTECTED] writes: Yes I get the same error, also with 1.4.2 and 1.5.12... error: #error Not sure what to do about rlim (should be in the Linux task struct somewhere) This error usually means nothing more than your kernel headers included in the way that OpenAFS's configure uses them failed to compile and can be caused by all sorts of things, ranging from missing packages to real kernel incompatibilities. To figure out what's going on, we need to see the portion of config.log around the test for rlim. There will be compiler error messages that will hopefully lead us to the real cause. -- -- Gianluca Cerminara Tel. CERN +41 (0)22 76 71519 Tel. TO +39 011 670 7374 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Is AFS suitable for this scenario?
Chris Huebsch wrote: On Wed, 3 Jan 2007, Chris Huebsch wrote: AFS does not provide hot-standby or failover. Perhaps I should clearify that a little bit. In some special cases, AFS can do that too. But it requires that those Data is strictly read-only. This read-only data has to be created from read-write data (this is called release in AFS-speak). This process takes some time, so it is neither recommended nor feasible to do that release in very short intervals. The AFS read only replicas are updated from their parent RW volume. Unless -f is specified on the vos release volume name or ID command line the update is 'whole file incremental' -- only files that have changed are 'shipped.' Time required for a vos release therefore varies considerably from one volume to the next. It also varies with the number of update sites and the bandwidth available between them. Even when no file has changed in the RW volume the 'vos release' process has to confirm and this requires some time. Instant replication is not something to expect from AFS. AFS will provide near-instant failover to replicated, read only data. If your purpose is instant failover to read/write data then AFS does not qualify, as Chris says. Kim Chris begin:vcard fn:Dexter 'Kim' Kimball n:Kimball;Dexter email;internet:[EMAIL PROTECTED] tel;work:970-207-1474 tel;fax:866-514-9676 tel;home:970-215-6359 tel;cell:818-726-6392 x-mozilla-html:TRUE version:2.1 end:vcard
RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Correction on that: The ktutil was run on the linux host! (not windows) But still... the ktpass.exe gives me bogus keyfiles. /Erik -Original Message- From: [EMAIL PROTECTED] on behalf of Lönroth Erik Sent: Wed 1/3/2007 4:34 PM To: Jeffrey Altman Cc: openafs-info@openafs.org Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arg OK, I believe have resolved the problem now after 5 whole days of trial and error. It turns out that using the KTPASS native from Active Directory generates keys that is not liked by AFS. I instead used ktutil.exe (for windows) to generate my key that I then imported as usual into AFS. On Microsoft AD side: ktutil ktutil: addent -password -p afs/[EMAIL PROTECTED] -k 9 -e des-cbc-crc ktutil: wkt ./keytab.file ktutil: quit This file is then copied to linux and imported exactly as I would normally: asetkey add 9 keytab.file afs/sss.se.scania.com Now - everything works kinit sssler aklog touch /afs/sss.se.scania.com/home/sssler/somefile ls /afs/sss.se.scania.com/home/sssler/somefile /afs/sss.se.scania.com/home/sssler/somefile Success! I verified this by behaviour - AGAIN - by using the KTPASS.EXE (without changing anything else) and importing the key with asetkey as normal. C:\ktpass -out afs-keytab-md5-verify -princ afs/[EMAIL PROTECTED] -mapuser afs -crypto DES-CBC-CRC -pass * Targeting domain controller: SeSoCoLab11.scania.se Successfully mapped afs/sss.se.scania.com to afs. Type the password for afs/sss.se.scania.com: Type the password again to confirm: WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to afs-keytab-md5-verify: Keytab version: 0x502 keysize 63 afs/[EMAIL PROTECTED] ptype 0 (KRB5_NT_UNKNOWN) vno 9 etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e) (Again publishing the key to the whole world ;-) ... and - using this key in AFS - I get the same error again : rxkad error=19270407 I swapped back again to the key generated by ktutil.exe - and it works again. It seems that using the KTPASS.EXE generates bogus keys for me! I have not read this anywhere and I have read pretty much everyting, did I miss something critical here or is this a bug/feature? /Erik -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED] Sent: Wed 1/3/2007 3:16 PM To: Lönroth Erik Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arg Lönroth Erik wrote: I believe I have... My file looks like this. Can I be sure this is OK? In my missery I can't trust anything at the moment. [EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf LAB.SCANIA.COM LAB.SCANIA.COM sesocolab11.scania.com This is fine. Although the second line is not used by AFS so you can remove it. Did you restart the AFS servers after setting this value? I have also looked in AD to se the Service principal binding (Is this right?) : C:\setspn -A afs/sss.se.scania.com afs Registering ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=s cania,DC=com afs/sss.se.scania.com Updated object C:\setspn -L afs Registered ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=sc ania,DC=com: afs/sss.se.scania.com HOST/afs HOST/afs.LAB That is fine. RXKADBADTICKET can be generated if the clocks between AFS and AD are not synchronized. Are they? Jeffrey Altman
RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
On Wed, 3 Jan 2007, Lönroth Erik wrote: I swapped back again to the key generated by ktutil.exe - and it works again. It seems that using the KTPASS.EXE generates bogus keys for me! I have not read this anywhere and I have read pretty much everyting, did I miss something critical here or is this a bug/feature? When I was preparing my slides I had this error, and then I took a package from Jeff Altman with ktpass; then ktpass worked, but I assumed I had changed something else.
Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Compare the keytab files produced with ktutil and ktpass for the same key. How are they different? Jeffrey Altman Lönroth Erik wrote: OK, I believe have resolved the problem now after 5 whole days of trial and error. It turns out that using the KTPASS native from Active Directory generates keys that is not liked by AFS. I instead used ktutil.exe (for windows) to generate my key that I then imported as usual into AFS. On Microsoft AD side: ktutil ktutil: addent -password -p afs/[EMAIL PROTECTED] -k 9 -e des-cbc-crc ktutil: wkt ./keytab.file ktutil: quit This file is then copied to linux and imported exactly as I would normally: asetkey add 9 keytab.file afs/sss.se.scania.com Now - everything works kinit sssler aklog touch /afs/sss.se.scania.com/home/sssler/somefile ls /afs/sss.se.scania.com/home/sssler/somefile /afs/sss.se.scania.com/home/sssler/somefile Success! I verified this by behaviour - AGAIN - by using the KTPASS.EXE (without changing anything else) and importing the key with asetkey as normal. C:\ktpass -out afs-keytab-md5-verify -princ afs/[EMAIL PROTECTED] -mapuser afs -crypto DES-CBC-CRC -pass * Targeting domain controller: SeSoCoLab11.scania.se Successfully mapped afs/sss.se.scania.com to afs. Type the password for afs/sss.se.scania.com: Type the password again to confirm: WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to afs-keytab-md5-verify: Keytab version: 0x502 keysize 63 afs/[EMAIL PROTECTED] ptype 0 (KRB5_NT_UNKNOWN) vno 9 etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e) (Again publishing the key to the whole world ;-) ... and - using this key in AFS - I get the same error again : rxkad error=19270407 I swapped back again to the key generated by ktutil.exe - and it works again. It seems that using the KTPASS.EXE generates bogus keys for me! I have not read this anywhere and I have read pretty much everyting, did I miss something critical here or is this a bug/feature? /Erik -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED] Sent: Wed 1/3/2007 3:16 PM To: Lönroth Erik Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arg Lönroth Erik wrote: I believe I have... My file looks like this. Can I be sure this is OK? In my missery I can't trust anything at the moment. [EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf LAB.SCANIA.COM LAB.SCANIA.COM sesocolab11.scania.com This is fine. Although the second line is not used by AFS so you can remove it. Did you restart the AFS servers after setting this value? I have also looked in AD to se the Service principal binding (Is this right?) : C:\setspn -A afs/sss.se.scania.com afs Registering ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=s cania,DC=com afs/sss.se.scania.com Updated object C:\setspn -L afs Registered ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=sc ania,DC=com: afs/sss.se.scania.com HOST/afs HOST/afs.LAB That is fine. RXKADBADTICKET can be generated if the clocks between AFS and AD are not synchronized. Are they? Jeffrey Altman ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Derrick J Brashear wrote: When I was preparing my slides I had this error, and then I took a package from Jeff Altman with ktpass; then ktpass worked, but I assumed I had changed something else. Right. What version of ktpass are you using? There was a bug in one version. The one that came with 2003 SP1 perhaps? smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Re: openafs does not put a [correct] value in fsinfo.f_type?
Jeffrey Altman [EMAIL PROTECTED] wrote: If you are in a position to get a new entry added to the Linux sys/statfs.h header file, please do so. I would suggest a value of AFS_SUPER_MAGIC 0x5346414F To be honest, I really don't think there would be any harm in just using this value. OAFS Who else would? Well, would there be a need to have arla use the same value? Or other non OpenAFS clients? Or is it a feature that this number can be used to identify the client software as well as the fs type? CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] env vars being ignored - 1.4.2 building aklog
CC and CPPFLAGS being ignored (I am using GNU make of course) when building aklog. Also, isn't this supposed to build by default, what with kaserver's deprecation and all... ? Any ideas? LDFLAGS=-L/export/k5/lib -R/export/k5/lib CPPFLAGS=-I/export/k5/include export LDFLAGS CPPFLAGS CC=gcc; export CC configure --opts-here... , make, make dest blah blah ... src cd aklog aklog make /opt/SUNWspro/bin/cc -DALLOW_REGISTER -I/export/home/src/openafs-1.4.2/src/config -I. -I. -I/export/home/src/openafs-1.4.2/include -I/export/home/src/openafs-1.4.2/include/afs -I/export/home/src/openafs-1.4.2/include/rx -I/export/home/src/openafs-1.4.2 -I/export/home/src/openafs-1.4.2/src -I/export/home/src/openafs-1.4.2/src -dy -Bdynamic -c aklog.c aklog.h, line 15: cannot find include file: krb5.h aklog.c, line 21: warning: implicit function declaration: exit cc: acomp failed for aklog.c make: *** [aklog.o] Error 2 aklog grep SUNWspro * aklog ls /export/k5/include/ com_err.hgssrpc/ krb5/profile.h gssapi/ kerberosIV/ krb5.h aklog ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
Configure OpenAFS with --with-krb5 then aklog will build. Jeff Blaine wrote: CC and CPPFLAGS being ignored (I am using GNU make of course) when building aklog. Also, isn't this supposed to build by default, what with kaserver's deprecation and all... ? Any ideas? LDFLAGS=-L/export/k5/lib -R/export/k5/lib CPPFLAGS=-I/export/k5/include export LDFLAGS CPPFLAGS CC=gcc; export CC configure --opts-here... , make, make dest blah blah ... src cd aklog aklog make /opt/SUNWspro/bin/cc -DALLOW_REGISTER -I/export/home/src/openafs-1.4.2/src/config -I. -I. -I/export/home/src/openafs-1.4.2/include -I/export/home/src/openafs-1.4.2/include/afs -I/export/home/src/openafs-1.4.2/include/rx -I/export/home/src/openafs-1.4.2 -I/export/home/src/openafs-1.4.2/src -I/export/home/src/openafs-1.4.2/src -dy -Bdynamic -c aklog.c aklog.h, line 15: cannot find include file: krb5.h aklog.c, line 21: warning: implicit function declaration: exit cc: acomp failed for aklog.c make: *** [aklog.o] Error 2 aklog grep SUNWspro * aklog ls /export/k5/include/ com_err.hgssrpc/ krb5/profile.h gssapi/ kerberosIV/ krb5.h aklog ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
Jeff Blaine wrote: CC and CPPFLAGS being ignored (I am using GNU make of course) when building aklog. Also, isn't this supposed to build by default, what with kaserver's deprecation and all... ? You want KRB5CFLAGS and KRB5LIBS. These are options to configure, not to make. If this isn't documented somewhere it should be. To build aklog you need configure --with-krb5. This is not currently the default but I'm sure it will be soon. Note that if you are using heimdal you don't need aklog, use heimdal's afslog instead. Again, if this isn't documented, it should be. You shouldn't need gmake. I don't know about the compiler issue but I'm sure it's been discussed on the -devel mailing list. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
Indeed - error on my part. I mistakenly assumed that the option for pointing to krb5-config would be --with-krb5-config=PATH It's --with-krb5-conf :| Jeffrey Altman wrote: Configure OpenAFS with --with-krb5 then aklog will build. Jeff Blaine wrote: CC and CPPFLAGS being ignored (I am using GNU make of course) when building aklog. Also, isn't this supposed to build by default, what with kaserver's deprecation and all... ? Any ideas? LDFLAGS=-L/export/k5/lib -R/export/k5/lib CPPFLAGS=-I/export/k5/include export LDFLAGS CPPFLAGS CC=gcc; export CC configure --opts-here... , make, make dest blah blah ... src cd aklog aklog make /opt/SUNWspro/bin/cc -DALLOW_REGISTER -I/export/home/src/openafs-1.4.2/src/config -I. -I. -I/export/home/src/openafs-1.4.2/include -I/export/home/src/openafs-1.4.2/include/afs -I/export/home/src/openafs-1.4.2/include/rx -I/export/home/src/openafs-1.4.2 -I/export/home/src/openafs-1.4.2/src -I/export/home/src/openafs-1.4.2/src -dy -Bdynamic -c aklog.c aklog.h, line 15: cannot find include file: krb5.h aklog.c, line 21: warning: implicit function declaration: exit cc: acomp failed for aklog.c make: *** [aklog.o] Error 2 aklog grep SUNWspro * aklog ls /export/k5/include/ com_err.hgssrpc/ krb5/profile.h gssapi/ kerberosIV/ krb5.h aklog ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
Jim Rees wrote: Jeff Blaine wrote: CC and CPPFLAGS being ignored (I am using GNU make of course) when building aklog. Also, isn't this supposed to build by default, what with kaserver's deprecation and all... ? You want KRB5CFLAGS and KRB5LIBS. These are options to configure, not to make. If this isn't documented somewhere it should be. Thanks Jim - If I'm not misunderstanding the current configure output, these are set by configure these days (when one runs configure properly). config.log:configure:19785: result: Adding -I/export/k5/include to KRB5CFLAGS [ I assume you saw (or will see) my response to J.A. ] To build aklog you need configure --with-krb5. This is not currently the default but I'm sure it will be soon. Note that if you are using heimdal you don't need aklog, use heimdal's afslog instead. Again, if this isn't documented, it should be. You shouldn't need gmake. I don't know about the compiler issue but I'm sure it's been discussed on the -devel mailing list. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
Jeff Blaine wrote: If I'm not misunderstanding the current configure output, these are set by configure these days (when one runs configure properly). That's only if you have krb5-config. I thought you didn't, because a) you have Solaris and I thought Solaris didn't come with anything, and b) I misunderstood your problem. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
CC and CPPFLAGS being ignored (I am using GNU make of course) when building aklog. Also, isn't this supposed to build by default, what with kaserver's deprecation and all... ? You want KRB5CFLAGS and KRB5LIBS. These are options to configure, not to make. If this isn't documented somewhere it should be. Those variables are now marked with AC_ARG_VAR(), so they should display useful information in the configure help output at least. For a while they weren't this way, because of old autoconfs still in use. (The way it works is that if a krb5-config script is being used, it overrides KRB5CFLAGS and KRB5LIBS; if one is not being used, either the environment settings or what is given on the autoconf command line for those variables is used). --Ken ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
Jim Rees wrote: To build aklog you need configure --with-krb5. This is not currently the default but I'm sure it will be soon. Note that if you are using heimdal you don't need aklog, use heimdal's afslog instead. Again, if this isn't documented, it should be. aklog builds with Heimdal. asetkey does not. smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Jeffrey Altman wrote: Compare the keytab files produced with ktutil and ktpass for the same key. How are they different? Does the test AD domain have more then one DC? If so is this a replication timing problem? It may take minutes for all the DCs to get in sync. It could be a salt issue, that the newer ktpass might fix. The old ktpass may have made the assumption the salt matched a principal for [EMAIL PROTECTED] which is what I think W2K did. (the SamAccountName is the -mapuser parameter, so would be afs in your case with a salt of LAB.SCANIA.COMafs.) I think W2K3 and its ktpass used the standard salt derived from the principal. REALMcomponent1component2... or in your case LAB.SCANIA.COMaf.se.scania.com I see in your first note you listed the DES key, and that was what you added with asetkey. You could also try using the same password with ktutil and see if it produces the same key which would indicate if it was using the standard salt. If not try using ktutil with a principal of [EMAIL PROTECTED] which would give the salt that matches the SamAccountName. You can see what salt AD is using, by using a network sniffer to look at the KRB5_ERROR message e-data, PA_ENCTYPE_INFO values that lists the salts while doing: kinit afs/[EMAIL PROTECTED] But this does not show what salt ktpass used to create the keytab. Jeffrey Altman Lönroth Erik wrote: OK, I believe have resolved the problem now after 5 whole days of trial and error. It turns out that using the KTPASS native from Active Directory generates keys that is not liked by AFS. I instead used ktutil.exe (for windows) to generate my key that I then imported as usual into AFS. On Microsoft AD side: ktutil ktutil: addent -password -p afs/[EMAIL PROTECTED] -k 9 -e des-cbc-crc ktutil: wkt ./keytab.file ktutil: quit This file is then copied to linux and imported exactly as I would normally: asetkey add 9 keytab.file afs/sss.se.scania.com Now - everything works kinit sssler aklog touch /afs/sss.se.scania.com/home/sssler/somefile ls /afs/sss.se.scania.com/home/sssler/somefile /afs/sss.se.scania.com/home/sssler/somefile Success! I verified this by behaviour - AGAIN - by using the KTPASS.EXE (without changing anything else) and importing the key with asetkey as normal. C:\ktpass -out afs-keytab-md5-verify -princ afs/[EMAIL PROTECTED] -mapuser afs -crypto DES-CBC-CRC -pass * Targeting domain controller: SeSoCoLab11.scania.se Successfully mapped afs/sss.se.scania.com to afs. Type the password for afs/sss.se.scania.com: Type the password again to confirm: WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to afs-keytab-md5-verify: Keytab version: 0x502 keysize 63 afs/[EMAIL PROTECTED] ptype 0 (KRB5_NT_UNKNOWN) vno 9 etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e) (Again publishing the key to the whole world ;-) ... and - using this key in AFS - I get the same error again : rxkad error=19270407 I swapped back again to the key generated by ktutil.exe - and it works again. It seems that using the KTPASS.EXE generates bogus keys for me! I have not read this anywhere and I have read pretty much everyting, did I miss something critical here or is this a bug/feature? /Erik -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED] Sent: Wed 1/3/2007 3:16 PM To: Lönroth Erik Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arg Lönroth Erik wrote: I believe I have... My file looks like this. Can I be sure this is OK? In my missery I can't trust anything at the moment. [EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf LAB.SCANIA.COM LAB.SCANIA.COM sesocolab11.scania.com This is fine. Although the second line is not used by AFS so you can remove it. Did you restart the AFS servers after setting this value? I have also looked in AD to se the Service principal binding (Is this right?) : C:\setspn -A afs/sss.se.scania.com afs Registering ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=s cania,DC=com afs/sss.se.scania.com Updated object C:\setspn -L afs Registered ServicePrincipalNames for CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=sc ania,DC=com: afs/sss.se.scania.com HOST/afs HOST/afs.LAB That is fine. RXKADBADTICKET can be generated if the clocks between AFS and AD are not synchronized. Are they? Jeffrey Altman ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Douglas E. Engert [EMAIL PROTECTED] Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
On Wed, 3 Jan 2007, Jeff Blaine wrote: CC and CPPFLAGS being ignored (I am using GNU make of course) when building aklog. Also, isn't this supposed to build by default, what with kaserver's deprecation and all... ? CC will be ignored. Because we build kernel stuff, we go out of our way to ensure we use the compiler we want.l If someone wants to contribute the autoconf work needed to fix it (and it's not simple, how do you test a kernel compiler) we will fix it. configure --with-krb5 or no aklog. does --opts-here include --with-krb5? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
On Jan 3, 2007, at 16:30 , Jeffrey Altman wrote: Jim Rees wrote: To build aklog you need configure --with-krb5. This is not currently the default but I'm sure it will be soon. Note that if you are using heimdal you don't need aklog, use heimdal's afslog instead. Again, if this isn't documented, it should be. aklog builds with Heimdal. asetkey does not. I would add that, while asetkey is not necessary with Heimdal (anywhere you can specify a keytab, you can use AFSKEYFILE:... instead), aklog has some advantages over afslog because it communicates with the ptserver and produces tokens which look more correct when your Kerberos principal's pts ID is different from your Unix uid (as with admin instances, for example). -- brandon s. allbery[linux,solaris,freebsd,perl] [EMAIL PROTECTED] system administrator [openafs,heimdal,too many hats] [EMAIL PROTECTED] electrical and computer engineering, carnegie mellon universityKF8NH ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Part 1: Solaris 9, OpenAFS 1.4.2, MIT KDC
Here's what you need to do to *start to begin* to even think about migrating from kaserver to an MIT KDC under Solaris 9: These exact steps are determined to be REQUIRED after countless hours of screwing around with this and having errata explained to me via email from folks. Hopefully it will save someone else loads of wasted time. If it doesn't work for you, I'm sorry. 0. OPTIONAL: Grab Solaris 9 SPARC OpenAFS package. Find it has no aklog or asetkey. Remove Solaris 9 SPARC OpenAFS package. 1. Download Sun Studio 11. No GCC allowed. 2. Install it (defaults to /opt/SUNWspro) 3. Set your PATH to include /opt/SUNWspro/bin and ALSO... 4. Set environment variables for build tools. CC=/opt/SUNWspro/bin/cc ; export CC LD=/usr/ccs/bin/ld ; export LD 5. Download and unpackage MIT Kerberos 1.5.1 6. Build and install MIT Kerberos 1.5.1 cd src ./configure --disable-dns-for-realm --prefix=/export/k5 make make install 7. Set LDFLAGS and CPPFLAGS to include where you installed Kerberos. LDFLAGS=-L/export/k5/lib -R/export/k5/lib export LDFLAGS CPPFLAGS=-I/export/k5/include export CPPFLAGS 8. Download and unpackage OpenAFS 1.4.2 source 9. Build and install OpenAFS 1.4.2 ./configure --enable-transarc-paths \ --with-krb5-conf=/export/k5/bin/krb5-config make make dest 10. Now you have an OpenAFS 1.4.2 with an aklog binary. You also have an 'asetkey' binary, but it's not dropped into your 'dest' area when you 'make dest'. Why? I don't know. cp src/aklog/asetkey sun4x_59/dest/bin More as I unravel this and write it :| ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] env vars being ignored - 1.4.2 building aklog
[EMAIL PROTECTED] replied: Jim Rees wrote: To build aklog you need configure --with-krb5. This is not currently the default but I'm sure it will be soon. Note that if you are using heimdal you don't need aklog, use heimdal's afslog instead. Again, if this isn't documented, it should be. aklog builds with Heimdal. asetkey does not. I have patches for asetkey to build with heimdal as well. Right now they're part of the rxk5 patch - but could be split out. The problem is trivial: mit:heimdal: key-contents key-keyvalue.data key-length key-keyvalue.length -Marcus Watts ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: Openafs Failover Problem
Chris Huebsch wrote: On Thu, 7 Dec 2006, Stefan Heimers wrote: But if I don't do a graceful shutdown, but rather turn off the power on one machine, the afs server won't work on the other. Filesystems are mounted, processes are started, but the clients cannot access afs directories. Are you sure, that your fileserver is really running and ready to serve client requests. After the fsck by the OS, afs runs a kind of fsck on it own (called salvager). Is it possible that the salvager just did not finish its work? Chris Hello, I think I found my problem. It is the /etc/openafs/server-local/SALVAGE.fs file, which is lying on the wrong machine in case of an unclean failover. This file is created when bos starts, and deleted on a clean shutdown. On a crash, this file remains and tells bos to salvage on the next startup. Naturally, this is not useful if I start bos on an other machine. I will probably move the server-local directory to common external storage as well, or just touch SALVAGE.fs on startup. Stefan -- http://www.heimers.ch ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info