Much more progress .. I've got the keys installed and I can start all servers, aklog and get a token. Now I'm trying to set up the root stuff, and running fs listacl (and other fs commands) fails and seems to make the token disappear?
root@njdev216083:/var/log/openafs# aklog -d Authenticating to cell corp.1010data.com (server njdev216083). Trying to authenticate to user's realm CORP.1010DATA.COM. Getting tickets: afs/[email protected] Using Kerberos V5 ticket natively About to resolve name john.dausilio to id in cell corp.1010data.com. Id 1 Setting tokens. john.dausilio @ corp.1010data.com root@njdev216083:/var/log/openafs# tokens Tokens held by the Cache Manager: User's (AFS ID 1) rxkad tokens for corp.1010data.com [Expires Jun 24 08:41] --End of list-- root@njdev216083:/var/log/openafs# fs listacl /afs fs: You don't have the required access rights on '/afs' root@njdev216083:/var/log/openafs# tokens Tokens held by the Cache Manager: --End of list-- root@njdev216083:/var/log/openafs# -----Original Message----- From: Benjamin Kaduk [mailto:[email protected]] Sent: Friday, June 23, 2017 5:25 PM To: John D'Ausilio Cc: [email protected]; Jeffrey Altman Subject: Re: [OpenAFS] New installation, linux server, AD kerberos On Fri, Jun 23, 2017 at 04:06:41PM -0400, Jeffrey Altman wrote: > On 6/23/2017 12:33 PM, John D'Ausilio wrote: > > So .. I downloaded and installed the 1.8 debs, and everything seems to be > > good. The packages end up starting bosserver .. > > I keep getting stuck at doing anything with bos .. most commands result in > > the error "bos: could not find entry (configuring connection security)" > > Tried setcellname .. maybe this is already done at client install? Weird > > that the client is a dependency of the fileserver .. > > > > root@njdev216083:/home/sysdev# bos setcellname njdev216083 > > corp.1010data.com -localauth > > bos: could not find entry (configuring connection security) > > My guess is that you need to add the cell wide key via asetkey before > you can start the service. Key management is an area that has changed > from OpenAFS 1.6 and OpenAFS 1.8 went in a different direction than > AuriStorFS so I'm not entirely sure. Yes, it looks very much like the needed key can't be found, from first glance. (I haven't had time to double-check against the code yet, though.) The 'akeyconvert' utiltiy should help with converting a krb5 keytab (named rxkad.keytab) into the proper KeyFileExt entries. -Ben
