Re: [OpenAFS] Trying OpenAFS, and missing

Wed, 01 Jan 2014 01:57:40 -0800 

Am 01.01.2014 03:31, schrieb Kristofer Pettijohn:

Hello,

I am trying OpenAFS, but it does not seem to be working correctly with
Kerberos.

I am attempting to install an OpenAFS server and client on the same
machine (Ubuntu 13.10), using Samba4 as an AD controller with its built
in Kerberos server.  The server uses PowerBroker for authentication and
kerberos.

The steps I followed and documented as I went (from the Quickstart guide
for Linux) are listed below.
On Debian/Ubuntu, you can also run the afs-newcell script after installation. 


No matter what I do, I receive an error about an unknown key version number.

root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth
key 6 has cksum 1466094097
Keys last changed on Tue Dec 31 21:06:31 2013.
All done.
root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com
bos: ticket contained unknown key version number error encountered while
listing keys
root@ueafs1:/etc#

The keytab appears to be fine, and shows the correct verision:

root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keytab
Keytab name: WRFILE:/etc/afs.keytab
KVNO Principal
----
--------------------------------------------------------------------------
    6 afs/ad.domain....@ad.domain.com


What might I be missing?  I've spent a solid 8 hours monkeying with this
and making no progress.
Did you check that the kvno in your OpenAFS keyfile matches the kvno of the key in your KDC? If they don't match, you need to export the key again (each modification changes the kvno). 


# Add OpenAFS repository

add-apt-repository ppa:openafs/stable
apt-get update
# Install OpenAFS packages
# Set cell name to match Kerberos Realm when prompted
apt-get install libpam-openafs-kaserver openafs-client openafs-dbserver
openafs-fileserver openafs-krb5
You don't want libpam-openafs-kaserver, but libpam-afs-session (but that's not related to your problem). 


# Stop OpenAFS processes and start BOS with -noauth
/etc/init.d/openafs-fileserver stop
/usr/sbin/bosserver -noauth

# Edit /etc/openafs/CellServDB and add realm and server

bos setcellname <servername> <cellname> -noauth
bos listhosts <servername> -noauth

# Ensure that proper IP address is in /etc/openafs/server/CellServDB,
and not 127.0.0.1

bos create ueafs1.ad.domain.com buserver simple
/usr/lib/openafs/buserver -noauth
bos create ueafs1.ad.domain.com ptserver simple
/usr/lib/openafs/ptserver -noauth
bos create ueafs1.ad.domain.com vlserver simple
/usr/lib/openafs/vlserver -noauth

# Create "afs" user in AD

samba-tool spn add afs/ad.domain.com afs
samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com


Is "ad.domain.com" your actual cell name, or is it only "domain.com"?


# Also tried from Windows using the following and copying the keytab:
ktpass -princ afs/ad.domain....@ad.domain.com -mapuser a...@ad.domain.com
<mailto:a...@ad.domain.com> -mapOp add -out keytab.afs +rndPass -ptype
KRB5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC

>

# Copy /tmp/afs from Samba (or from Windows) to OpenAFS server in
/etc/afs.keytab

/opt/pbis/bin/kinit administra...@ad.domain.com
/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com
asetkey add 6 /etc/afs.keytab afs/ad.domain.com
Starting with 1.6.5.1, you don't need to use asetkey anymore. You can export the key to /etc/openafs/server/rxkad.keytab directly and it will be used by OpenAFS just fine. You're also not restricted to DES-CBC-CRC anymore. 


bos adduser ueafs1.ad.domain.com admin -noauth
bos adduser ueafs1.ad.domain.com kpettijohn -noauth
bos listkeys ueafs1.ad.domain.com -noauth

# Kill bos and restart

pkill bosserver
/usr/sbin/bosserver -noauth

# Initialize Protection Database

pts createuser -name admin -noauth
pts createuser -name kpettijohn -noauth
pts adduser admin system:administrators -noauth
pts adduser kpettijohn system:administrators -noauth
pts membership admin -noauth
bos restart ueafs1.ad.domain.com -all -noauth

# Start file server processes

bos create ueafs1.ad.domain.com fs fs /usr/lib/openafs/fileserver \
     /usr/lib/openafs/volserver /usr/lib/openafs/salvager -noauth
You should consider using the new demand attach fileserver (DAFS) instead, gives much better performance. 

HTH...

        Dirk
--
Dirk Heinrichs <dirk.heinri...@altum.de>
Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913
GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to