Re: [OpenAFS] Changing Kerberos Server?
Hi Derek, krb5.conf is up to date. I dumped the database on the old server, loaded it on the new server and createt the stash-file and host-key for the Kebreros Server. After your mail i createt the afs/Prinzipal new and imported the new key. But it does not help. Wenn I do aklog -d i get the following: > Authenticating to cell testsystem.test (server afs01.center.testsystem.test). > We've deduced that we need to authenticate to realm TESTSYSTEM.TEST. > Getting tickets: [EMAIL PROTECTED] > Kerberos error code returned by get_cred: -1765328228 > aklog: Couldn't get testsystem.test AFS tickets: > aklog: Cannot contact any KDC for requested realm while getting AFS tickets So it gets the afs-service ticket from Kerberos but cannot log in to afs with it. I have the local Kerberos-KDC as a secondary kdc in the /etc/krb5.conf. When i start the lokal KDC-Deamon, it works fine. The Kerberos-Database is the same, host keys are exportet on both kdcs. The new, extra-Kerberos-Server is Version 1.2.4, the local one 1.2.5. Any ideas? Thanks, Klaas - Original Message - From: "Derek Atkins" <[EMAIL PROTECTED]> To: "Klaas Hagemann" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 12:07 AM Subject: Re: [OpenAFS] Changing Kerberos Server? > Is your krb5.conf up to date with the new KDC location? > Did you just rename the KDC or did you create a new > database? Are you sure the AFS key is the same? > What do you get from 'aklog -d'? > > -derek > > "Klaas Hagemann" <[EMAIL PROTECTED]> writes: > > > Hi, > > > > i have installed OpenAFS with Kerberos-Integration on my Kerberos-Server. > > Now my Kerberos-Server has moved. > > > > Kerberos itsself works fine, i get a ticket and also get the afs/REALM > > ticket. But aklog then fails. > > It says: > > couldn't get afs tickets: > > cannot contact any kdc for requested realm while getting AFS-Tickets > > > > When i then do klist, i have the service ticket for afs, so kerberos works > > and /etc/krb5.conf is correct. > > When i start kerberos services on the afs-server again, it works fine. > > > > Any ideas? > > > > Klaas > > > > ___ > > OpenAFS-info mailing list > > [EMAIL PROTECTED] > > https://lists.openafs.org/mailman/listinfo/openafs-info > > -- >Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory >Member, MIT Student Information Processing Board (SIPB) >URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH >[EMAIL PROTECTED]PGP key available > ___ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Changing Kerberos Server?
> Hi Derek, > > krb5.conf is up to date. > I dumped the database on the old server, loaded it on the new server and > createt the stash-file and host-key for the Kebreros Server. > After your mail i createt the afs/Prinzipal new and imported the new key. > But it does not help. > Wenn I do aklog -d i get the following: > > > Authenticating to cell testsystem.test (server > afs01.center.testsystem.test). > > We've deduced that we need to authenticate to realm TESTSYSTEM.TEST. > > Getting tickets: [EMAIL PROTECTED] > > Kerberos error code returned by get_cred: -1765328228 > > aklog: Couldn't get testsystem.test AFS tickets: > > aklog: Cannot contact any KDC for requested realm while getting AFS > tickets > > So it gets the afs-service ticket from Kerberos but cannot log in to afs > with it. Why do you think it got the afs-service ticket? The "Kerberos error code returned by get_cred" means "No local name found for principal". Are you sure the KDC that you are talking to has a principal "[EMAIL PROTECTED]"? I *think* aklog tries both "[EMAIL PROTECTED]" and "[EMAIL PROTECTED] E". Which of these do you have? > I have the local Kerberos-KDC as a secondary kdc in the /etc/krb5.conf. > When i start the lokal KDC-Deamon, it works fine. The Kerberos-Database is > the same, host keys are exportet on both kdcs. > The new, extra-Kerberos-Server is Version 1.2.4, the local one 1.2.5. > > Any ideas? > > Thanks, Klaas > - Original Message - > From: "Derek Atkins" <[EMAIL PROTECTED]> > To: "Klaas Hagemann" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Friday, August 02, 2002 12:07 AM > Subject: Re: [OpenAFS] Changing Kerberos Server? > > > > Is your krb5.conf up to date with the new KDC location? > > Did you just rename the KDC or did you create a new > > database? Are you sure the AFS key is the same? > > What do you get from 'aklog -d'? > > > > -derek > > > > "Klaas Hagemann" <[EMAIL PROTECTED]> writes: > > > > > Hi, > > > > > > i have installed OpenAFS with Kerberos-Integration on my > Kerberos-Server. > > > Now my Kerberos-Server has moved. > > > > > > Kerberos itsself works fine, i get a ticket and also get the afs/REALM > > > ticket. But aklog then fails. > > > It says: > > > couldn't get afs tickets: > > > cannot contact any kdc for requested realm while getting AFS-Tickets > > > > > > When i then do klist, i have the service ticket for afs, so kerberos > works > > > and /etc/krb5.conf is correct. > > > When i start kerberos services on the afs-server again, it works fine. > > > > > > Any ideas? > > > > > > Klaas > > > > > > ___ > > > OpenAFS-info mailing list > > > [EMAIL PROTECTED] > > > https://lists.openafs.org/mailman/listinfo/openafs-info > > > > -- > >Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory > >Member, MIT Student Information Processing Board (SIPB) > >URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH > >[EMAIL PROTECTED]PGP key available > > ___ > > OpenAFS-info mailing list > > [EMAIL PROTECTED] > > https://lists.openafs.org/mailman/listinfo/openafs-info > > > > ___ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info > ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Changing Kerberos Server?
Hi Derek, krb5.conf is up to date. I dumped the database on the old server, loaded it on the new server and createt the stash-file and host-key for the Kebreros Server. After your mail i createt the afs/Prinzipal new and imported the new key. But it does not help. Wenn I do aklog -d i get the following: > Authenticating to cell testsystem.test (server afs01.center.testsystem.test). > We've deduced that we need to authenticate to realm TESTSYSTEM.TEST. > Getting tickets: [EMAIL PROTECTED] > Kerberos error code returned by get_cred: -1765328228 > aklog: Couldn't get testsystem.test AFS tickets: > aklog: Cannot contact any KDC for requested realm while getting AFS tickets So it gets the afs-service ticket from Kerberos but cannot log in to afs with it. I have the local Kerberos-KDC as a secondary kdc in the /etc/krb5.conf. When i start the lokal KDC-Deamon, it works fine. The Kerberos-Database is the same, host keys are exportet on both kdcs. The new, extra-Kerberos-Server is Version 1.2.4, the local one 1.2.5. Any ideas? Thanks, Klaas - Original Message - From: "Derek Atkins" <[EMAIL PROTECTED]> To: "Klaas Hagemann" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 12:07 AM Subject: Re: [OpenAFS] Changing Kerberos Server? > Is your krb5.conf up to date with the new KDC location? > Did you just rename the KDC or did you create a new > database? Are you sure the AFS key is the same? > What do you get from 'aklog -d'? > > -derek > > "Klaas Hagemann" <[EMAIL PROTECTED]> writes: > > > Hi, > > > > i have installed OpenAFS with Kerberos-Integration on my Kerberos-Server. > > Now my Kerberos-Server has moved. > > > > Kerberos itsself works fine, i get a ticket and also get the afs/REALM > > ticket. But aklog then fails. > > It says: > > couldn't get afs tickets: > > cannot contact any kdc for requested realm while getting AFS-Tickets > > > > When i then do klist, i have the service ticket for afs, so kerberos works > > and /etc/krb5.conf is correct. > > When i start kerberos services on the afs-server again, it works fine. > > > > Any ideas? > > > > Klaas > > > > ___ > > OpenAFS-info mailing list > > [EMAIL PROTECTED] > > https://lists.openafs.org/mailman/listinfo/openafs-info > > -- >Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory >Member, MIT Student Information Processing Board (SIPB) >URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH >[EMAIL PROTECTED]PGP key available > ___ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info