Hello, I am trying OpenAFS, but it does not seem to be working correctly with Kerberos.
I am attempting to install an OpenAFS server and client on the same machine (Ubuntu 13.10), using Samba4 as an AD controller with its built in Kerberos server. The server uses PowerBroker for authentication and kerberos. The steps I followed and documented as I went (from the Quickstart guide for Linux) are listed below. No matter what I do, I receive an error about an unknown key version number. root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth key 6 has cksum 1466094097 Keys last changed on Tue Dec 31 21:06:31 2013. All done. root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com bos: ticket contained unknown key version number error encountered while listing keys root@ueafs1:/etc# The keytab appears to be fine, and shows the correct verision: root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keytab Keytab name: WRFILE:/etc/afs.keytab KVNO Principal ---- -------------------------------------------------------------------------- 6 afs/ad.domain....@ad.domain.com What might I be missing? I've spent a solid 8 hours monkeying with this and making no progress. Thanks in advance. * Installation steps # Download Powerbroker and install wget http://download.beyondtrust.com/PBISO/7.5.3.1536/linux.deb.x64/pbis-open-7.5.3.1536.linux.x86_64.deb.sh sh ./pbis-open-7.5.3.1536.linux.x86_64.deb.sh # Join to domain domainjoin-cli join --ou 'All Computers/Servers' AD.DOMAIN.COM username /opt/pbis/bin/config UserDomainPrefix BRS /opt/pbis/bin/config AssumeDefaultDomain true /opt/pbis/bin/config HomeDirTemplate "%H/%U" /opt/pbis/bin/config LoginShellTemplate /bin/bash reboot # Add OpenAFS repository add-apt-repository ppa:openafs/stable apt-get update # Set up 2nd volume in LVM apt-get install lvm2 # Set options to be Linux LVM fdisk /dev/vxdf pvcreate /dev/xvdf1 vgcreate vgafs /dev/xvdf1 lvcreate -l 6399 -n vicepa vgafs mkdir /vicepa echo "/dev/vgafs/vicepa /vicepa ext4 defaults 0 0" >> /etc/fstab mount /vicepa # Install OpenAFS packages # Set cell name to match Kerberos Realm when prompted apt-get install libpam-openafs-kaserver openafs-client openafs-dbserver openafs-fileserver openafs-krb5 # Stop OpenAFS processes and start BOS with -noauth /etc/init.d/openafs-fileserver stop /usr/sbin/bosserver -noauth # Edit /etc/openafs/CellServDB and add realm and server bos setcellname <servername> <cellname> -noauth bos listhosts <servername> -noauth # Ensure that proper IP address is in /etc/openafs/server/CellServDB, and not 127.0.0.1 bos create ueafs1.ad.domain.com buserver simple /usr/lib/openafs/buserver -noauth bos create ueafs1.ad.domain.com ptserver simple /usr/lib/openafs/ptserver -noauth bos create ueafs1.ad.domain.com vlserver simple /usr/lib/openafs/vlserver -noauth # Create "afs" user in AD samba-tool spn add afs/ad.domain.com afs samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com # Also tried from Windows using the following and copying the keytab: ktpass -princ afs/ad.domain....@ad.domain.com -mapuser a...@ad.domain.com -mapOp add -out keytab.afs +rndPass -ptype KRB5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC # Copy /tmp/afs from Samba (or from Windows) to OpenAFS server in /etc/afs.keytab /opt/pbis/bin/kinit administra...@ad.domain.com /opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com asetkey add 6 /etc/afs.keytab afs/ad.domain.com bos adduser ueafs1.ad.domain.com admin -noauth bos adduser ueafs1.ad.domain.com kpettijohn -noauth bos listkeys ueafs1.ad.domain.com -noauth # Kill bos and restart pkill bosserver /usr/sbin/bosserver -noauth # Initialize Protection Database pts createuser -name admin -noauth pts createuser -name kpettijohn -noauth pts adduser admin system:administrators -noauth pts adduser kpettijohn system:administrators -noauth pts membership admin -noauth bos restart ueafs1.ad.domain.com -all -noauth # Start file server processes bos create ueafs1.ad.domain.com fs fs /usr/lib/openafs/fileserver \ /usr/lib/openafs/volserver /usr/lib/openafs/salvager -noauth bos status ueafs1.ad.domain.com fs -long -noauth vos create ueafs1.ad.domain.com vicepa root.afs -noauth # Update server bos create ueafs1.ad.domain.com upserver simple "/usr/lib/openafs/upserver -crypt /etc/openafs" -noauth # Restart BOS server using packages pkill bosserver /etc/init.d/openafs-fileserver start
