avison48 wrote: > Thank you very much Sergio (and Jason for F9 pointer)! > I gave up on using the microsoft KDC server for now & as someone suggested > followed the Fedora9 instructions to do as they do, own+operate RHEL kdc > server on the new (test) AFS server itself to get everything working. > Doing this, things are progressing further. > > But it seems just using "afs" is insufficient on RHEL : > > [EMAIL PROTECTED]> kadmin.local -q "addprinc -randkey afs" > Authenticating as principal root/[EMAIL PROTECTED] with password. > WARNING: no policy specified for [EMAIL PROTECTED]; defaulting to no policy > Principal "[EMAIL PROTECTED]" created. > > Because down the road aklog failed: > aklog: Couldn't get atest.phy AFS tickets: > aklog: unknown RPC error (-1765328377) while getting AFS tickets > > Based on the error in /var/log/krb5kdc.log: > UNKNOWN_SERVER: authtime 1222007068, [EMAIL PROTECTED] for > afs/[EMAIL PROTECTED], Server not found in Kerberos database > > it seems pretty obvious there was a difference between > Principal "[EMAIL PROTECTED]" > and > afs/[EMAIL PROTECTED] > So the solution was to instead use afs/<cellname> > > [EMAIL PROTECTED]> kadmin.local -q "addprinc -randkey afs/atest.phy" >
I see both atest.phy and ktest.phy used as the cell/realm name. They should be the same. Since you are setting up your own KDC, be sure to use a different realm name from the production realm. subdomains work well for this. > Then aklog works. (Is there a different/better solution?) > But then next step fs setacl doesn't: > > [EMAIL PROTECTED]> fs setacl /afs system:anyuser rl > fs: You don't have the required access rights on '/afs' > > You're client is probably configured for dynamic root mode. The above command will fail in that case. You can either disable dynroot mode by editing /etc/sysconfig/openafs temporarily and rebooting. Another option is to skip this step and proceed to "fs setacl /afs/example.com" and then mount the root.afs under /afs/example.com long enough to set the acls. > I've reproduced this on another test server, exactly. > > Can anyone clarify using afs in the kerberos commands vs afs/<cellname> ?? > > > afs/cellname is the newer and preferred convention. it allows for multiple cells per realm. newer clients will try afs/[EMAIL PROTECTED] then [EMAIL PROTECTED] I'm not sure why [EMAIL PROTECTED] didn't work. >> I also see /usr/share/doc/openafs-dbserver/README.servers.gz and >> /usr/share/doc/openafs-dbserver/configuration-transcript.txt.gz. >> > > These appear to be un-RHEL things - no such package openafs-docs for RHEL. > Could you send them to me somehow? > The posting & perl scripts listed on > http://lists.openafs.org/pipermail/openafs-info/2005-August/019061.html > are somewhat useful, if they're not out of date. > > Very grateful thanks for all for hints+help. > > Those files are part of the debian packaging. You can find them in CVS or at http://www.openafs.org/cgi-bin/cvsweb.cgi/openafs/src/packaging/Debian/ just click on the link for the version of the file. Jason _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
