subject:"Re\: \[OpenAFS\] Trying OpenAFS, and missing"

Re: [OpenAFS] Trying OpenAFS, and missing

2014-01-01 Thread Kristofer Pettijohn

I re-ran through the process, following the Debian instructions ( 
https://openafs.dk/doku.php?id=server:openafs ), and I am encountering the same 
error. I cannot figure this one out. 


root@ueafs1:/etc/openafs/server# mv /tmp/afs /etc/openafs/server/rxkad.keytab 

root@ueafs1:/etc/openafs/server# ls -l /etc/openafs/server/rxkad.keytab 
-rw--- 1 root root 462 Jan 2 00:30 /etc/openafs/server/rxkad.keytab 
root@ueafs1:/etc/openafs/server# ps auxww|grep boss 
root 4415 0.0 0.1 25872 4460 ? Ss 00:32 0:00 /usr/sbin/bosserver 
root 4446 0.0 0.0 8172 944 pts/3 S+ 00:33 0:00 grep --color=auto boss 

root@ueafs1:/etc/openafs/server# /etc/init.d/openafs-fileserver stop 
* Stopping OpenAFS services 
bos: failed to shutdown servers (ticket contained unknown key version number) 
bos: can't wait for processes to shutdown (ticket contained unknown key version 
number) 
* Stopping OpenAFS BOS server bosserver [ OK ] 

root@ueafs1:/etc/openafs/server# service openafs-fileserver start 
* Starting OpenAFS BOS server bosserver [ OK ] 

root@ueafs1:/etc/openafs/server# ps auxww|grep -i bos 
root 4475 0.0 0.1 25872 4484 ? Ss 00:33 0:00 /usr/sbin/bosserver 

root@ueafs1:/var/log/openafs# apt-get install krb5-user 

root@ueafs1:/var/log/openafs# kinit kpettij...@ad.domain.com 
Password for kpettij...@ad.domain.com: 
Warning: Your password will expire in 73 days on Sun Mar 16 01:04:44 2014 

root@ueafs1:/var/log/openafs# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: kpettij...@ad.domain.com 

Valid starting Expires Service principal 
02/01/2014 00:36 02/01/2014 10:36 krbtgt/ad.domain@ad.domain.com 
renew until 03/01/2014 00:36 

root@ueafs1:/var/log/openafs# bos setcellname -server ueafs1.ad.domain.com 
-name ad.domain.com -localauth 
bos: failed to set cell (ticket contained unknown key version number) 

root@ueafs1:/var/log/openafs# kvno afs/ad.domain.com 
afs/ad.domain@ad.domain.com: kvno = 6 

root@ueafs1:/var/log/openafs# klist -k -e /etc/openafs/server/rxkad.keytab 
Keytab name: FILE:/etc/openafs/server/rxkad.keytab 
KVNO Principal 
 -- 
6 afs/ad.domain@ad.domain.com (des-cbc-crc) 
6 afs/ad.domain@ad.domain.com (des-cbc-md5) 
6 afs/ad.domain@ad.domain.com (aes128-cts-hmac-sha1-96) 
6 afs/ad.domain@ad.domain.com (aes256-cts-hmac-sha1-96) 
6 afs/ad.domain@ad.domain.com (arcfour-hmac) 

root@ueafs1:/var/log/openafs# bos setcellname -server ueafs1.ad.domain.com 
-name ad.domain.com -localauth 
bos: failed to set cell (ticket contained unknown key version number)

Re: [OpenAFS] Trying OpenAFS, and missing

2014-01-01 Thread Kristofer Pettijohn

Thank you for your response.

> >The steps I followed and documented as I went (from the Quickstart guide
> >for Linux) are listed below.
> On Debian/Ubuntu, you can also run the afs-newcell script after
> installation.

I started over and tried that, but it doesn't seem to support the
rxkad.keytab file that you mention later on in your message, so I went
back and adjusted my steps.

> >What might I be missing?  I've spent a solid 8 hours monkeying with this
> >and making no progress.
> Did you check that the kvno in your OpenAFS keyfile matches the kvno
> of the key in your KDC? If they don't match, you need to export the
> key again (each modification changes the kvno).

Yes, see below:

root@ueafs1:~# /opt/pbis/bin/klist -k -e
/etc/openafs/server/rxkad.keytab 
Keytab name: WRFILE:/etc/openafs/server/rxkad.keytab
KVNO Principal

--
   6 afs/ad.domain@ad.domain.com (des-cbc-crc) 
   6 afs/ad.domain@ad.domain.com (des-cbc-md5) 
   6 afs/ad.domain@ad.domain.com (aes128-cts-hmac-sha1-96) 
   6 afs/ad.domain@ad.domain.com (aes256-cts-hmac-sha1-96) 
   6 afs/ad.domain@ad.domain.com (arcfour-hmac) 

root@ueafs1:~# /opt/pbis/bin/kvno afs/ad.domain.com
afs/ad.domain@ad.domain.com: kvno = 6

> You don't want libpam-openafs-kaserver, but libpam-afs-session (but
> that's not related to your problem).

Thanks, I now see that kaserver was the previous/old authentication
method.  I have adjusted my steps.

> >samba-tool spn add afs/ad.domain.com afs
> >samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com
> Is "ad.domain.com" your actual cell name, or is it only "domain.com"?

ad.domain.com is my AD domain name, Kerberos realm, and cell name.

> >/opt/pbis/bin/kinit administra...@ad.domain.com
> >/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com
> >asetkey add 6 /etc/afs.keytab afs/ad.domain.com
> Starting with 1.6.5.1, you don't need to use asetkey anymore. You
> can export the key to /etc/openafs/server/rxkad.keytab directly and
> it will be used by OpenAFS just fine. You're also not restricted to
> DES-CBC-CRC anymore.

I tried that.  Also following the steps at
https://openafs.dk/doku.php?id=server:openafs, I went through
"Kerberizing the OpenAFS server" and "Initial setup of bosserver", and
as soon as I hit the "bos setcellname" command I receive the error:

root@ueafs1:~# bos setcellname -server ueafs1.ad.domain.com -name
ad.domain.com -localauth
bos: failed to set cell (ticket contained unknown key version number)

root@ueafs1:~# /opt/pbis/bin/klist
Ticket cache: FILE:/tmp/krb5cc_483120612_gRyJqv
Default principal: kpettij...@ad.domain.com

Valid starting ExpiresService principal
01/01/14 21:12:54  01/02/14 07:12:54  krbtgt/ad.domain@ad.domain.com
renew until 01/02/14 21:12:52, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, arcfour-hmac 
01/01/14 21:16:03  01/02/14 07:12:54  afs/ad.domain@ad.domain.com
renew until 01/02/14 21:12:52, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac 


I must be missing something obviously stupid.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Trying OpenAFS, and missing

2014-01-01 Thread Dirk Heinrichs


Am 01.01.2014 03:31, schrieb Kristofer Pettijohn:

Hello,

I am trying OpenAFS, but it does not seem to be working correctly with
Kerberos.

I am attempting to install an OpenAFS server and client on the same
machine (Ubuntu 13.10), using Samba4 as an AD controller with its built
in Kerberos server.  The server uses PowerBroker for authentication and
kerberos.

The steps I followed and documented as I went (from the Quickstart guide
for Linux) are listed below.


On Debian/Ubuntu, you can also run the afs-newcell script after 
installation.



No matter what I do, I receive an error about an unknown key version number.

root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth
key 6 has cksum 1466094097
Keys last changed on Tue Dec 31 21:06:31 2013.
All done.
root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com
bos: ticket contained unknown key version number error encountered while
listing keys
root@ueafs1:/etc#

The keytab appears to be fine, and shows the correct verision:

root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keytab
Keytab name: WRFILE:/etc/afs.keytab
KVNO Principal

--
6 afs/ad.domain@ad.domain.com


What might I be missing?  I've spent a solid 8 hours monkeying with this
and making no progress.


Did you check that the kvno in your OpenAFS keyfile matches the kvno of 
the key in your KDC? If they don't match, you need to export the key 
again (each modification changes the kvno).



# Add OpenAFS repository

add-apt-repository ppa:openafs/stable
apt-get update
# Install OpenAFS packages
# Set cell name to match Kerberos Realm when prompted
apt-get install libpam-openafs-kaserver openafs-client openafs-dbserver
openafs-fileserver openafs-krb5


You don't want libpam-openafs-kaserver, but libpam-afs-session (but 
that's not related to your problem).



# Stop OpenAFS processes and start BOS with -noauth
/etc/init.d/openafs-fileserver stop
/usr/sbin/bosserver -noauth

# Edit /etc/openafs/CellServDB and add realm and server

bos setcellname   -noauth
bos listhosts  -noauth

# Ensure that proper IP address is in /etc/openafs/server/CellServDB,
and not 127.0.0.1

bos create ueafs1.ad.domain.com buserver simple
/usr/lib/openafs/buserver -noauth
bos create ueafs1.ad.domain.com ptserver simple
/usr/lib/openafs/ptserver -noauth
bos create ueafs1.ad.domain.com vlserver simple
/usr/lib/openafs/vlserver -noauth

# Create "afs" user in AD

samba-tool spn add afs/ad.domain.com afs
samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com


Is "ad.domain.com" your actual cell name, or is it only "domain.com"?


# Also tried from Windows using the following and copying the keytab:
ktpass -princ afs/ad.domain@ad.domain.com -mapuser a...@ad.domain.com
 -mapOp add -out keytab.afs +rndPass -ptype
KRB5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC

>

# Copy /tmp/afs from Samba (or from Windows) to OpenAFS server in
/etc/afs.keytab

/opt/pbis/bin/kinit administra...@ad.domain.com
/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com
asetkey add 6 /etc/afs.keytab afs/ad.domain.com


Starting with 1.6.5.1, you don't need to use asetkey anymore. You can 
export the key to /etc/openafs/server/rxkad.keytab directly and it will 
be used by OpenAFS just fine. You're also not restricted to DES-CBC-CRC 
anymore.



bos adduser ueafs1.ad.domain.com admin -noauth
bos adduser ueafs1.ad.domain.com kpettijohn -noauth
bos listkeys ueafs1.ad.domain.com -noauth

# Kill bos and restart

pkill bosserver
/usr/sbin/bosserver -noauth

# Initialize Protection Database

pts createuser -name admin -noauth
pts createuser -name kpettijohn -noauth
pts adduser admin system:administrators -noauth
pts adduser kpettijohn system:administrators -noauth
pts membership admin -noauth
bos restart ueafs1.ad.domain.com -all -noauth

# Start file server processes

bos create ueafs1.ad.domain.com fs fs /usr/lib/openafs/fileserver \
 /usr/lib/openafs/volserver /usr/lib/openafs/salvager -noauth


You should consider using the new demand attach fileserver (DAFS) 
instead, gives much better performance.


HTH...

Dirk
--
Dirk Heinrichs 
Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913
GPG Public Key C2E467BB | Jabber: dirk.heinri...@altum.de
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Trying OpenAFS, and missing

2013-12-31 Thread Kristofer Pettijohn

When I use aklog, it appears to get the ticket and token successfully: 

kpettijohn@ueafs1:~$ aklog -d 
Authenticating to cell ad.domain.com (server ueafs1.ad.domain.com). 
Trying to authenticate to user's realm AD.DOMAIN.COM. 
Getting tickets: afs/ad.domain@ad.domain.com 
Using Kerberos V5 ticket natively 
About to resolve name kpettijohn to id in cell ad.domain.com. 
Id 2 
Set username to AFS ID 2 
Setting tokens. AFS ID 2 @ ad.domain.com 
kpettijohn@ueafs1:~$ tokens 

Tokens held by the Cache Manager: 

User's (AFS ID 2) tokens for a...@ad.domain.com [Expires Jan 1 10:28] 
--End of list-- 
kpettijohn@ueafs1:~$ 

However, when I run a "vos listvol" after that, I receive the "unknown key 
version number" and am still at a loss. If anyone could help point me at what I 
might be missing, I would greatly appreciate it. 

kpettijohn@ueafs1:~$ vos listvol ueafs1.ad.domain.com 
Could not fetch the list of partitions from the server 
rxk: ticket contained unknown key version number 
Error in vos listvol command. 
rxk: ticket contained unknown key version number 
kpettijohn@ueafs1:~$ 


- Original Message -

From: "Kristofer Pettijohn"  
To: openafs-info@openafs.org 
Sent: Tuesday, December 31, 2013 8:31:55 PM 
Subject: [OpenAFS] Trying OpenAFS, and missing 

Hello, 

I am trying OpenAFS, but it does not seem to be working correctly with 
Kerberos. 

I am attempting to install an OpenAFS server and client on the same machine 
(Ubuntu 13.10), using Samba4 as an AD controller with its built in Kerberos 
server. The server uses PowerBroker for authentication and kerberos. 

The steps I followed and documented as I went (from the Quickstart guide for 
Linux) are listed below. 

No matter what I do, I receive an error about an unknown key version number. 

root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth 
key 6 has cksum 1466094097 
Keys last changed on Tue Dec 31 21:06:31 2013. 
All done. 
root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com 
bos: ticket contained unknown key version number error encountered while 
listing keys 
root@ueafs1:/etc# 

The keytab appears to be fine, and shows the correct verision: 

root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keytab 
Keytab name: WRFILE:/etc/afs.keytab 
KVNO Principal 
 -- 
6 afs/ad.domain@ad.domain.com 


What might I be missing? I've spent a solid 8 hours monkeying with this and 
making no progress. 

Thanks in advance. 



* Installation steps 

# Download Powerbroker and install 

wget 
http://download.beyondtrust.com/PBISO/7.5.3.1536/linux.deb.x64/pbis-open-7.5.3.1536.linux.x86_64.deb.sh
 
sh ./pbis-open-7.5.3.1536.linux.x86_64.deb.sh 

# Join to domain 

domainjoin-cli join --ou 'All Computers/Servers' AD.DOMAIN.COM username 
/opt/pbis/bin/config UserDomainPrefix BRS 
/opt/pbis/bin/config AssumeDefaultDomain true 
/opt/pbis/bin/config HomeDirTemplate "%H/%U" 
/opt/pbis/bin/config LoginShellTemplate /bin/bash 
reboot 

# Add OpenAFS repository 

add-apt-repository ppa:openafs/stable 
apt-get update 

# Set up 2nd volume in LVM 

apt-get install lvm2 

# Set options to be Linux LVM 
fdisk /dev/vxdf 

pvcreate /dev/xvdf1 
vgcreate vgafs /dev/xvdf1 
lvcreate -l 6399 -n vicepa vgafs 
mkdir /vicepa 
echo "/dev/vgafs/vicepa /vicepa ext4 defaults 0 0" >> /etc/fstab 
mount /vicepa 

# Install OpenAFS packages 
# Set cell name to match Kerberos Realm when prompted 
apt-get install libpam-openafs-kaserver openafs-client openafs-dbserver 
openafs-fileserver openafs-krb5 

# Stop OpenAFS processes and start BOS with -noauth 
/etc/init.d/openafs-fileserver stop 
/usr/sbin/bosserver -noauth 

# Edit /etc/openafs/CellServDB and add realm and server 

bos setcellname   -noauth 
bos listhosts  -noauth 

# Ensure that proper IP address is in /etc/openafs/server/CellServDB, and not 
127.0.0.1 

bos create ueafs1.ad.domain.com buserver simple /usr/lib/openafs/buserver 
-noauth 
bos create ueafs1.ad.domain.com ptserver simple /usr/lib/openafs/ptserver 
-noauth 
bos create ueafs1.ad.domain.com vlserver simple /usr/lib/openafs/vlserver 
-noauth 

# Create "afs" user in AD 

samba-tool spn add afs/ad.domain.com afs 
samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com 

# Also tried from Windows using the following and copying the keytab: 
ktpass -princ afs/ad.domain@ad.domain.com -mapuser a...@ad.domain.com 
-mapOp add -out keytab.afs +rndPass -ptype KRB5_NT_PRINCIPAL +DumpSalt -crypto 
DES-CBC-CRC 

# Copy /tmp/afs from Samba (or from Windows) to OpenAFS server in 
/etc/afs.keytab 

/opt/pbis/bin/kinit administra...@ad.domain.com 
/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com 
asetkey add 6 /etc/afs.keytab afs/ad.domain.com 
bos adduser ueafs1.ad.domain.com admin -noauth 
bos adduser ueafs1.ad.domain.com kpettijohn -noauth 
bos listkeys ueafs1.ad.domain.com -noauth 

# Kill bos and restart 

pkill bosserver 
/usr/sbin/bosserver -noauth 

# Initiali

Re: [OpenAFS] Trying OpenAFS, and missing

Re: [OpenAFS] Trying OpenAFS, and missing

Re: [OpenAFS] Trying OpenAFS, and missing

Re: [OpenAFS] Trying OpenAFS, and missing

4 matches

Site Navigation

Mail list logo

Footer information