Hi, as a maintainer of a OpenAFS cell on Debian, I have been seting up OpenAFS cells, just for tests, from scratch on Debian until V11. I follow the documentation inside the package and it works for me. If I am not mistaken you need 1 VM for kerberos server and another VM for the first AFSDB/Fileserver. For a cell that needs to run more than some days, I use 3 AFSDB and 2 File servers and 1 Kerberos master and 1 Kerberos slave.
As it seams you have problems setting up a real cell, I recommend to setup a dummy cell just for learning. OpenAFS is nice after you know how to deal with it, until then is a beast that can easily bite you. Kind regards Jose M Calhariz On Sun, Jun 02, 2024 at 12:18:54PM -0400, Ernesto Alfonso wrote: > Dirk Heinrichs: > > Because you deleted the wrong key. The AFS principal should be named > "afs/<domain>@<REALM>". Just follow the instructions in > https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating > the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with > "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be > all set. > > Thanks. According to the afs-newcell script requirements banner, it would > be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the > principal. > > If your cell's name is the same as your Kerberos realm then create a > principal called afs. > Otherwise, create a principal called afs/cellname in your realm > > I must admit that it is hard to know which guides to follow. I'm aware of > docs.openafs.org, but since I'm on debian I was looking for something more > debian-specific. Most guides and even some commands inside openafs, help > strings, docs are somewhat outdated with respect to the use of DES keys. > > For example, the afs-newcell says: > > 2) You need to create the single-DES AFS key and load it into > /etc/openafs/server/KeyFile. ... You can use asetkey from the > openafs-krb5 package, or > if you used AFS3 salt to create the key, the bos addkey command. > > Also, I have learned that `bos listkeys` will only list DES keys, which was > confusing. > > If I try to follow docs.openafs.org it is not clear which parts are covered > by afs-newcell, afs-rootvol, etc and should be skipped. I also appreciate > having a simple script to run when setting up a new AFS cell, so I would > like to stick with debian packaging and scripts if possible. > > I was able to run the afs-newcell script, I only had to modify my > /etc/hosts to add my FQDN as an alias for 127.0.0.1. > > However, running `afs-rootvol` fails: > > █[asus][~][0]$ sudo kinit root/admin > Password for root/[email protected]: > █[asus][~][25]$ sudo aklog -d > Authenticating to cell asus.erjoalgo.com (server asus.erjoalgo.com). > Trying to authenticate to user's realm ASUS.ERJOALGO.COM. > Getting tickets: afs/[email protected] > We've deduced that we need to authenticate to realm ASUS.ERJOALGO.COM. > Getting tickets: afs/[email protected] > Getting tickets: [email protected] > Using Kerberos V5 ticket natively > About to resolve name root.admin to id in cell asus.erjoalgo.com. > Id 1 > Setting tokens. root.admin @ asus.erjoalgo.com > █[asus][~][16]$ sudo afs-rootvol --requirements-met --server > asus.erjoalgo.com > What partition? [a] > > vos create asus.erjoalgo.com a root.cell -localauth > Volume 536870915 created on partition /vicepa of asus.erjoalgo.com > fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw > fs: You don't have the required access rights on '/afs/ > asus.erjoalgo.com/.root.afs' > Failed: 256 > > Root volume setup failed, ABORTING > vos remove asus.erjoalgo.com a root.cell -localauth > Volume 536870915 on partition /vicepa server asus deleted > █[asus][~][0]$ sudo kinit root/admin > Password for root/[email protected]: > █[asus][~][130]$ sudo aklog > █[asus][~][4]$ sudo afs-rootvol --requirements-met --server > asus.erjoalgo.com --partition=a > > vos create asus.erjoalgo.com a root.cell -localauth > Volume 536870918 created on partition /vicepa of asus.erjoalgo.com > fs sa /afs system:anyuser rl > fs:'/afs': Connection timed out > Failed: 256 > > Root volume setup failed, ABORTING > vos remove asus.erjoalgo.com a root.cell -localauth > Volume 536870918 on partition /vicepa server asus deleted > █[asus][~][0]$ ls /afs > > > I don't understand what this means: > > fs: You don't have the required access rights on '/afs/ > asus.erjoalgo.com/.root.afs' > > sudo klist shows that the default principal is the root/admin principal > specified earlier when running afs-newcell: > > █[asus][~][130]$ sudo klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: root/[email protected] > > Valid starting Expires Service principal > 06/02/2024 11:43:36 06/02/2024 21:43:36 krbtgt/ > [email protected] > 06/02/2024 11:44:32 06/02/2024 21:43:36 [email protected] > █[asus][~][0]$ > > I also don't understand the connection-timed out: > > fs:'/afs': Connection timed out > > I found the error in this post: > > https://www.cs.cmu.edu/afs/gco/archive/pipermail/openafs-info/2003-October/011026.html > > But I'm not sure I understand the suggested solution that references > bringing up a cache manager. I don't really understand what is going on. > Perhaps it would be better to try to set things up step by step and avoid > the debian scripts. > > Ernesto > > On Sun, Jun 2, 2024 at 9:12 AM Dirk Heinrichs <[email protected]> > wrote: > > > Ernesto Alfonso: > > > > > Now my problem is still understanding why `bos listkeys` now succeeds > > > but returns an empty set when asetkey does list 4 keys. > > > > Because you deleted the wrong key. The AFS principal should be named > > "afs/<domain>@<REALM>". Just follow the instructions in > > https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating > > the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with > > "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be > > all set. > > > > Also note that if you setup multiple servers, you only need to do the > > kadmin part once, and copy the resulting rxkad.keytab (and probably > > KeyFileExt) to all servers, since the kvno needs to be the same on all > > servers, but exporting the key increases it. > > > > HTH... > > > > Dirk > > > > > > -- -- Lembre-se de que um bom exemplo e o melhor sermao -- H. Jackson Brown Jr.
signature.asc
Description: PGP signature
