Am 07.03.2016 um 06:18 schrieb Benjamin Kaduk: > It is certainly possible to update the quickstart guide. Concrete > references to a section number or HTML url wherein you want the change to > be made would help. > > Looking at http://docs.openafs.org/QuickStartUnix/HDRWQ80.html, I see: > > % The top-level AFS directory, typically /afs, is a special case: when the > % client is configured to run in dynroot mode (e.g. afsd -dynroot, > % attempts to set the ACL on this directory will return Connection timed > % out. This is because the dynamically- generated root directory is not a > % part of the global AFS space, and cannot have an access control list set > % on it. > > Prior to that is a note about "When the root.afs volume is replicated, the > Cache Manager is programmed to access its read-only version > (root.afs.readonly) whenever possible.", and a note that mounting the > read-write copy elsewhere is needed in order to make modifications. I would appreciate some recovery instructions, since the feedback of OpenAFS will take time to be intuitive (e.g. this issue mentioned here was caused by errornous kerberos encryption algorithms in the referenced post and there's no way of knowing that and kerberos gives sadist feedback like `kadmind: No such file or directory while initializing, aborting`).
If the quick start guide becomes too large I'd kick the whole system-specific service setup routines or move them to another document, maybe a wiki or a Q&A since it's obsolete already since `systemd` isn't covered. Concretely, in section 2.24: - So 1. basically wants to say if `-dynroot` is enabled, then 1. isn't necessary and no alternative action needs to be performed? Anything else isn't possible, but the reader still wonders why it's not written that clearly, so that should be done. - How am I supposed to get to the replication step if already setting the ACL on /afs fails with `-dynroot` disabled? Both the explanation and the commands are after setting those. If creating the read-write mount point is a precondition to be able to set ACL, then it a tautology because it depends itself on setting the ACL on / - obviously in my case only since other people have set up AFS volumes already. > That posting predates > http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt; you should not > use des-cbc-crc (or des-cbc-md5 or other single-des enctypes) for the AFS > cell-wide key. (If the Quick Start guide indicates to create a single-des > key, please let me know -- I thought I had removed all such references.) I didn't, but to make sure (since OpenAFS error messages generally don't explain the reason for the error), how would I purge such a key from the setup? Is deleting the keytab and recreating it sufficient? Thanks for you support. -Kalle
signature.asc
Description: OpenPGP digital signature
