> > Thanks, Ben. Copying a regular krb5 keytab to > > /usr/local/etc/openafs/server/rxkad.keytab worked and I was able to > proceed > > until trying to create a user. I tried running > > > > pts createuser -name test -id 1000 -localauth > > > > but it returns > > > > > pts: server or network not responding; unable to create user test with > id > > > 1000 > > Does it hang for a little while before returning this error? >
It does, for somewhere around 30 seconds. > > I find out what's causing the error? I tried to learn what was going on > > with truss and found that it was complaining that no > > /usr/local/etc/openafs/server/KeyFile and > > /usr/local/etc/openafs/server/UserList files existed, so I touched them, > > but that didn't make a difference. I shouldn't need the KeyFile at > > all if /usr/local/etc/openafs/server/rxkad.keytab is present, correct? > > Don't create those files; we just probe to see if they exist, but > indeed, you don't need them. > > > In case it is relevant, when I run the pts createuser command with > > -noauth it immediately returns a "Permission denied" error. > > That's helpful to know, since it shows we don't actually have a problem > with simply contacting the server. Questions and things to try: > > Can you run any command successfully with -localauth? A good simple test > is 'bos status' like you showed; just run it with -localauth. > Yes, this works. It immediately says that buserver, vlserver, and ptserver are running normally. > > Did you restart the servers after putting rxkad.keytab in place? (This > isn't always necessary, but at least in situations like this I think > it's simpler to do so.) > Yeah, I did stop/start them. Later I also tried deleting and recreating them, not sure if that introduced any problems. > > Can you show the contents of rxkad.keytab? Not the keys, obviously; just > what the principals and enctypes are. > Sure thing: Vno Type Principal Aliases 2 aes256-cts-hmac-sha1-96 afs/[email protected] 2 des3-cbc-sha1 afs/[email protected] 2 arcfour-hmac-md5 afs/[email protected] -- Eric Shell
