[22770] in Athena Bugs
Re: sun4 9.2.7: afs & tokens
daemon@ATHENA.MIT.EDU (Garry Zacheiss)
Fri Jul 4 00:20:05 2003
Message-Id: <200307040420.AAA26249@indian-burial-ground-pet-store.mit.edu>
To: "Karen E. Walrath" <karen@MIT.EDU>
cc: bugs@MIT.EDU
In-Reply-To: Your message of "Thu, 03 Jul 2003 20:05:51 EDT."
<200307040005.h6405p1W001737@pelli.mit.edu>
Date: Fri, 04 Jul 2003 00:20:03 -0400
From: Garry Zacheiss <zacheiss@MIT.EDU>
Your fileserver is running old AFS server software that doesn't
understand rxkad 2b tokens, which are derived from Kerberos 5 tickets
and not Kerberos 4 tickets; /bin/athena/aklog in Athena 9.2 is krb5
based by default, but you can reproduce this failure using aklog5 from
the sipb locker on 9.1 and earlier.
Options for fixing it:
1.) Upgrade your cell to OpenAFS 1.2.8 or later. This is what's running
in production in the athena.mit.edu cell and all of our other
cells. It's much more stable than anything we ever got from
Transarc.
2.) Ask the ATHENA.MIT.EDU KDC maintainers to configure the krb524d to
not hand out krb5 tickets in response to requests for
afs/soap.mit.edu@ATHENA.MIT.EDU. Asking them to configure it
identically to how the net.mit.edu cell is configured should be
sufficient.
If you take 2 you probably want to strongly consist upgrading your
server binaries to something more recent anyway. I'm happy to help you
with that if you'd like.
Garry
