hello, Still working on this.
Jason said: > These instructions might help. > http://www.dementia.org/twiki/bin/view/AFSLore/FedoraAFSInstall They look clear, thank you for pointer Jason! Except they still assume you own & manage your own Unix KDC, which is not true here. The new test machine has same AFS cell name as production server, all real clients look to the production server & I can build a test client to look to this test server. Right now the only client is on the test AFS server itself. Um! on the real Win2K server, the new test server vlad appears in the top GUI window alongside the real Win2K AFS server! It doesn't see any volumes or partitions but does show the Unix processes. So somehow they are communicating. Bit worried about that. Sergio Gelato said > How much downtime (if any) are you willing to accept for your cell? None, in production hours, but weekends def possible. > My favourite cell setup instructions are the ones that ship as part of > the Debian OpenAFS packages. The reason is that they don't require you > to use the -noauth switch. When I looked at this, the only "instructions" for configure of a new afs server were: "Run afs-newcell" & "Run afs-rootvol" which are perl scripts. Is that what you mean? Jason said: > You don't need to set up a KDC, but you must make sure that the > Linux server can kinit against the AD servers. Stuck there. Servers are running, no errors in logfiles (that I can see); client proccesses running, but start with error: afsd: Can't mount AFS on /afs(22) /afs is empty underneath - no afs cellname. CellServDB & ThisCell are correct. Haven't figured this out yet, pointers welcome. Next they say login to Kerberos then AFS: [EMAIL PROTECTED]> kinit admin kinit(v5): Client not found in Kerberos database while getting initial credentials No matter what variant tried, that's the response. On the production Win2K AFS server, the AFS administrative account is 'admin' so it's just an assumption that's the kerberos principal name having to do with our AFS service?? I'm still semi-puzzled if AFS accounts are separate from kerberos accounts, or not. They must be, accounts have diff pw within AFS than in Kerberos (or ADS, which I presume in our context 'acts' like Kerberos) & there are accounts on our AFS server that definitely don't exist in Kerberos. So does AFS/Kerberos work such that the afs account "admin" on the Win2K AFS server is guaranteed to be an account existing in Kerberos having to do with AFS, & that the pw for the AFS account admin will = Kerberos (or kinit) pw? I wonder if, for instance, kerberos account 'admin' may have to do with admin of Kerberos/ADS, in which case only the KDC admin will know it & there must be some other KDC/ADS 'afs-admin' related account. I'll ask him but I think he knows nearly nothing about this AFS server setup long ago. [EMAIL PROTECTED]> aklog aklog: Couldn't get <cellname> AFS tickets: aklog: unknown RPC error (-1765328189) while getting AFS tickets Haven't figured that out at all. Even klog doesn't work: [EMAIL PROTECTED]> klog admin Password: [ hangs a long time ] Unable to authenticate to AFS because Authentication Server was Unavailable On production AFS client machines klog admin works & tokens shows the right AFS ID & afs@<cellname> so the problem is my test machine vlad &/or the KDC not wanting to respond to it. The KDC is Win2003 server. I can login to it & look at logs. Nothing in EventLog looks relevant, or even timestamped at the time I'm testing. The only software that looks like it's doing KDC things is Active Directory. I'd like to find relevant kdc/ads logfiles but only EventLog so far. Or does it sound like vlad my test AFS server is not contacting the Win2003 kerberos server at all? On vlad, /etc/krb.conf has the ADS domain & server:port looking good. /etc/krb5.conf looks good & I can confirm it authenticates my user login account to the Win2003 KDC ok (timestamps match SYSTEM entries in SecurityLog) krb.realms is not relevant??? (as distributed it's very sparse). Since this ADS/KDC talks to IBM AFS 3.5, could it be tweaked such that it can't communicate properly with this modern openafs server? Some googling suggested that on KDC WINNT\system32\drivers\etc\hosts might need to contain the Unix afs server ip+name; but it doesn't contain the win2K AFS ip+name. (But that's k4.) I wouldn't dare change anything on the KDC myself. Hints/advice/pointers gratefully welcomed! _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
