[OpenAFS] asetkey and bos_setcellname in 1.8.3

Mon, 05 Aug 2019 01:33:05 -0700 

There seems to be a causality dilemma between asetkey and bos_setcellname
when a new cell is brought up, at least in 1.8.3. 

 

Invoking asetkey on a vanilla server (binary installation, 1st database
server) leads to an error if it is before the initialization of krb.conf and
ThisCell

 

$ asetkey add rxkad_krb5 4 18  <keyfile> <princ>

asetkey: can't initialize conf dir '/etc/openafs/server'

 

Looking at the source code of asetkey.c, the first thing main() does is to
check if confdir is valid:

 

tdir = afsconf_Open(confdir);

    if (!tdir) {

              fprintf(stderr, "%s: can't initialize conf dir '%s'\n",
argv[0],

                           confdir);

              exit(1);

    }

 

https://github.com/openafs/openafs/blob/85d70ea953c6fb44f200ed4be13cded74135
59b8/src/aklog/asetkey.c#L448

 

With trial and error, it seems that afsconf_Open() won't succeed unless
ThisCell and krb.conf are both properly configured. 

 

While krb.conf can be configured manually, ThisCell has NOT been initialized
at this step. It is yet to be filled by "bos setcellname -localauth", which
requires the key to be in place and the bosserver to be running in the
background. So it seems to be a chicken or the egg problem. 

 

bos_setcellname requires a bosserver daemon launched. Launching bosserver
without an initialized confdir always fails on my case. I suspect the
following section of bosserver.c is responsible

 

tdir = afsconf_Open(AFSDIR_SERVER_ETC_DIRPATH);

    if (!tdir) {

              tdir = CreateLocalCellConfig();

}

 

which fails because CreateLocalCellConfig() calls afsconf_SetCellInfo() with
a __NULL__ in its first argument. bosserver then exits abnormally. 

 

Step-to-step guidance for newcomers usually instructs a user to key the
server before bos_setcellname. For example:

https://wiki.openafs.org/admin/InstallingOpenAFSonCentOS7/

https://wiki.gentoo.org/wiki/OpenAFS#Keying_the_Server

 

To break the chain, I manually configured krb.conf and ThisCell, then
invoked asetkey. After successful keying, bosserver can be launched and
bos_setcellname can be invoked with "-localauth"

 

1.6.2x was largely exempted from that problem if a user uses rxkad.keytab
instead of invoking "asetkey". But in 1.8 we see the return of asetkey for
Kerberos 5. 

 

Can OpenAFS gurus confirm the issue? I think it will make life much easier
for new users to bring up a cell.

 

Thanks.

 

==========================

Ximeng (Simon) Guan, Ph.D.

Director of Device Technology

Reliance Memory

==========================

Reply via email to