Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-10 Thread Michael Meffie
On Thu, 6 Jun 2024 22:18:06 -0700
"Benjamin Kaduk"  wrote:

> Ernesto,
> 
> Thank you for sharing your notes on what was helpful, and I am glad you did
> get a working setup.  If you do end up writing up specific suggestions, we
> would be happy to see them.
> 
> -Ben
> 
> On Thu, Jun 06, 2024 at 10:40:56AM -0400, Ernesto Alfonso wrote:
> > I wanted to provide an update, I have finally been able to set up openafs.
> > Thanks for all on this thread who provided helpful advice.  

To reiterate Ben, Well done Ernesto.  I am looking forward to seeing your
suggestions to improve the error messages, and any other suggestions.

I do believe we need to improve the documentation and process improve
the installation and setup experience.

Also, as an aside, the OpenAFS Ansible Collection is available on github
and Ansible Galaxy. It includes roles, modules, and example playbooks to
deploy and manage OpenAFS. Debian as well as a number of other platforms
are supported.

Best regards,
Mike
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-06 Thread Benjamin Kaduk
Ernesto,

Thank you for sharing your notes on what was helpful, and I am glad you did
get a working setup.  If you do end up writing up specific suggestions, we
would be happy to see them.

-Ben

On Thu, Jun 06, 2024 at 10:40:56AM -0400, Ernesto Alfonso wrote:
> I wanted to provide an update, I have finally been able to set up openafs.
> Thanks for all on this thread who provided helpful advice.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-06 Thread Ernesto Alfonso
I wanted to provide an update, I have finally been able to set up openafs.
Thanks for all on this thread who provided helpful advice.

I did try to document most of the situations where I got stuck, and do have
a specific list of suggestions that may help make set up easier, mostly
around providing more user-friendly error messages, that I may try to write
when I have time.

Some of the tools I used that were helpful, and may be helpful to others
when trying to setup and debug errors, in no particular order:

- Following the official AFS doc at least for the first time instead of
expecting all scripts to work. This allowed me to become more familiar with
the various AFS components and services.
- Getting out of the mindset of attempting to treat AFS as a black box that
just works after "apt-get install", and being open to learning more about
the system and its administration
- Making use of the listing and status commands to verify changes made
after every step. Some of the commands I actually used were:

asetkey list
tokens
bos status
bos listkeys
pts membership admin -localauth
bos listusers -server asus.erjoalgo.com
vos listvol
vos status
pts listentries -localauth
pt_util -p /var/lib/openafs/db/prdb.DB0 -user -group -members
fs listacl
fs listquota -human

- Reading the source of the afs-newcell and afs-rootvol and being able to
run some of the failing commands manually
- Sometimes using strace -f was helpful in identifying which file was
opened or which service or port was queried whenever a command failed
without providing a helpful explanation
- sometimes it was necessary to restart the fileserver or client, for
example after a failed afs-rootvol command, it was necessary to run `fs
checkvolumes` as Jeffery Altman noted, and it was also necessary to restart
openafs-fileserver
- checking out the source on debian and reading some of the source code,
and adding debug logs was sometimes helpful whenever strace did not help
- reading the debian/README.Debian file as well as the
referenced configuration-transcript.txt was helpful even if the transcript
is a little outdated
- asking for help in this mailing list

Thanks again to all,

Ernesto


On Tue, Jun 4, 2024 at 10:24 AM Jose M Calhariz <
jose.calha...@tecnico.ulisboa.pt> wrote:

> Hi,
>
> as a maintainer of a OpenAFS cell on Debian, I have been seting up
> OpenAFS cells, just for tests, from scratch on Debian until V11.  I
> follow the documentation inside the package and it works for me.  If I
> am not mistaken you need 1 VM for kerberos server and another VM for
> the first AFSDB/Fileserver.  For a cell that needs to run more than
> some days, I use 3 AFSDB and 2 File servers and 1 Kerberos master and
> 1 Kerberos slave.
>
> As it seams you have problems setting up a real cell, I recommend to
> setup a dummy cell just for learning.  OpenAFS is nice after you know
> how to deal with it, until then is a beast that can easily bite you.
>
> Kind regards
> Jose M Calhariz
>
> On Sun, Jun 02, 2024 at 12:18:54PM -0400, Ernesto Alfonso wrote:
> > Dirk Heinrichs:
> >
> > Because you deleted the wrong key. The AFS principal should be named
> > "afs/@".  Just follow the instructions in
> > https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under
> "Generating
> > the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> > "/etc/openafs/server", which is used on Debian/Ubuntu, and you
> should be
> > all set.
> >
> > Thanks. According to the afs-newcell script requirements banner, it would
> > be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the
> > principal.
> >
> > If your cell's name is the same as your Kerberos realm then create a
> > principal called afs.
> > Otherwise, create a principal called afs/cellname in your realm
> >
> > I must admit that it is hard to know which guides to follow. I'm aware of
> > docs.openafs.org, but since I'm on debian I was looking for something
> more
> > debian-specific. Most guides and even some commands inside openafs, help
> > strings, docs are somewhat outdated with respect to the use of DES keys.
> >
> > For example, the afs-newcell says:
> >
> > 2) You need to create the single-DES AFS key and load it into
> >/etc/openafs/server/KeyFile.  ... You can use asetkey from the
> > openafs-krb5 package, or
> >if you used AFS3 salt to create the key, the bos addkey command.
> >
> > Also, I have learned that `bos listkeys` will only list DES keys, which
> was
> > confusing.
> >
> > If I try to follow docs.openafs.org it is not clear which parts are
> covered
> > by afs-newcell, afs-rootvol, etc and should be skipped. I also appreciate
> > having a simple script to run when setting up a new AFS cell, so I would
> > like to stick with debian packaging and scripts if possible.
> >
> > I was able to run the afs-newcell script, I only had to modify my
> > /etc/hosts to add my FQDN as an alias for 127.0.0.1.
>

Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-04 Thread Jose M Calhariz
Hi,

as a maintainer of a OpenAFS cell on Debian, I have been seting up
OpenAFS cells, just for tests, from scratch on Debian until V11.  I
follow the documentation inside the package and it works for me.  If I
am not mistaken you need 1 VM for kerberos server and another VM for
the first AFSDB/Fileserver.  For a cell that needs to run more than
some days, I use 3 AFSDB and 2 File servers and 1 Kerberos master and
1 Kerberos slave.

As it seams you have problems setting up a real cell, I recommend to
setup a dummy cell just for learning.  OpenAFS is nice after you know
how to deal with it, until then is a beast that can easily bite you.

Kind regards
Jose M Calhariz

On Sun, Jun 02, 2024 at 12:18:54PM -0400, Ernesto Alfonso wrote:
> Dirk Heinrichs:
> 
> Because you deleted the wrong key. The AFS principal should be named
> "afs/@".  Just follow the instructions in
> https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating
> the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be
> all set.
> 
> Thanks. According to the afs-newcell script requirements banner, it would
> be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the
> principal.
> 
> If your cell's name is the same as your Kerberos realm then create a
> principal called afs.
> Otherwise, create a principal called afs/cellname in your realm
> 
> I must admit that it is hard to know which guides to follow. I'm aware of
> docs.openafs.org, but since I'm on debian I was looking for something more
> debian-specific. Most guides and even some commands inside openafs, help
> strings, docs are somewhat outdated with respect to the use of DES keys.
> 
> For example, the afs-newcell says:
> 
> 2) You need to create the single-DES AFS key and load it into
>/etc/openafs/server/KeyFile.  ... You can use asetkey from the
> openafs-krb5 package, or
>if you used AFS3 salt to create the key, the bos addkey command.
> 
> Also, I have learned that `bos listkeys` will only list DES keys, which was
> confusing.
> 
> If I try to follow docs.openafs.org it is not clear which parts are covered
> by afs-newcell, afs-rootvol, etc and should be skipped. I also appreciate
> having a simple script to run when setting up a new AFS cell, so I would
> like to stick with debian packaging and scripts if possible.
> 
> I was able to run the afs-newcell script, I only had to modify my
> /etc/hosts to add my FQDN as an alias for 127.0.0.1.
> 
> However, running `afs-rootvol` fails:
> 
> █[asus][~][0]$ sudo kinit root/admin
> Password for root/ad...@asus.erjoalgo.com:
> █[asus][~][25]$ sudo aklog -d
> Authenticating to cell asus.erjoalgo.com (server asus.erjoalgo.com).
> Trying to authenticate to user's realm ASUS.ERJOALGO.COM.
> Getting tickets: afs/asus.erjoalgo@asus.erjoalgo.com
> We've deduced that we need to authenticate to realm ASUS.ERJOALGO.COM.
> Getting tickets: afs/asus.erjoalgo@asus.erjoalgo.com
> Getting tickets: a...@asus.erjoalgo.com
> Using Kerberos V5 ticket natively
> About to resolve name root.admin to id in cell asus.erjoalgo.com.
> Id 1
> Setting tokens. root.admin @ asus.erjoalgo.com
> █[asus][~][16]$ sudo afs-rootvol --requirements-met --server
> asus.erjoalgo.com
> What partition? [a]
> 
> vos create asus.erjoalgo.com a root.cell -localauth
> Volume 536870915 created on partition /vicepa of asus.erjoalgo.com
> fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw
> fs: You don't have the required access rights on '/afs/
> asus.erjoalgo.com/.root.afs'
> Failed: 256
> 
> Root volume setup failed, ABORTING
> vos remove asus.erjoalgo.com a root.cell -localauth
> Volume 536870915 on partition /vicepa server asus deleted
> █[asus][~][0]$ sudo kinit root/admin
> Password for root/ad...@asus.erjoalgo.com:
> █[asus][~][130]$ sudo aklog
> █[asus][~][4]$ sudo afs-rootvol --requirements-met --server
> asus.erjoalgo.com  --partition=a
> 
> vos create asus.erjoalgo.com a root.cell -localauth
> Volume 536870918 created on partition /vicepa of asus.erjoalgo.com
> fs sa /afs system:anyuser rl
> fs:'/afs': Connection timed out
> Failed: 256
> 
> Root volume setup failed, ABORTING
> vos remove asus.erjoalgo.com a root.cell -localauth
> Volume 536870918 on partition /vicepa server asus deleted
> █[asus][~][0]$ ls /afs
> 
> 
> I don't understand what this means:
> 
> fs: You don't have the required access rights on '/afs/
> asus.erjoalgo.com/.root.afs'
> 
> sudo klist shows that the default principal is the root/admin principal
> specified earlier when running afs-newcell:
> 
> █[asus][~][130]$ sudo klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root/ad...@asus.erjoalgo.com
> 
> Valid starting   Expires  Service principal
>

Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-02 Thread Benjamin Kaduk
[replying to the latest but copying one older snippet since it's important]
> > > Now my problem is still understanding why `bos listkeys` now succeeds but
> > > returns an empty set when asetkey does list 4 keys.

This is the expected behavior.  "bos listkeys" only knows about legacy
rxkad (single-DES) keys, and the desired state is to have zero active keys
of that type.  (It looks like you have figured this out independently
already, but I just wanted to confirm it specifically.)

It would be possible in theory to add new RPCs for the bosserver to manage
the newer key types, but given the advances in fleet automation and remote
management tools since bos was originally written, it seemed like it would
not add very much value compared to ssh and akeyconvert.

On Sun, Jun 02, 2024 at 12:18:54PM -0400, Ernesto Alfonso wrote:
> Dirk Heinrichs:
> 
> Because you deleted the wrong key. The AFS principal should be named
> "afs/@".  Just follow the instructions in
> https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating
> the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be
> all set.
> 
> Thanks. According to the afs-newcell script requirements banner, it would
> be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the
> principal.

This text in afs-newcell should have been removed since 1.8.10-2 (in favof
of afs/cellname); if you are seeing it in that version or later, please
report a debian bug.  That update to afs-newcell also updated the text you
quoted later on (which I am trimming from this message) about single-DES
AFS keys.

> I was able to run the afs-newcell script, I only had to modify my
> /etc/hosts to add my FQDN as an alias for 127.0.0.1.
> 
> However, running `afs-rootvol` fails:
> 
[...]
> vos create asus.erjoalgo.com a root.cell -localauth
> Volume 536870915 created on partition /vicepa of asus.erjoalgo.com
> fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw
> fs: You don't have the required access rights on '/afs/
> asus.erjoalgo.com/.root.afs'
> Failed: 256

That makes it seem like you do not have a token for a user in the
system:administrators group (which could happen if you had restarted or
restarted the openafs-client since you ran afs-newcell).  So the usual
diagnostic steps would include:

# tokens
# pts mem system:administrators -localauth
# fs la /afs/asus.erjoalgo.com/

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-02 Thread Ernesto Alfonso
Dirk Heinrichs:

Because you deleted the wrong key. The AFS principal should be named
"afs/@".  Just follow the instructions in
https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating
the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
"/etc/openafs/server", which is used on Debian/Ubuntu, and you should be
all set.

Thanks. According to the afs-newcell script requirements banner, it would
be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the
principal.

If your cell's name is the same as your Kerberos realm then create a
principal called afs.
Otherwise, create a principal called afs/cellname in your realm

I must admit that it is hard to know which guides to follow. I'm aware of
docs.openafs.org, but since I'm on debian I was looking for something more
debian-specific. Most guides and even some commands inside openafs, help
strings, docs are somewhat outdated with respect to the use of DES keys.

For example, the afs-newcell says:

2) You need to create the single-DES AFS key and load it into
   /etc/openafs/server/KeyFile.  ... You can use asetkey from the
openafs-krb5 package, or
   if you used AFS3 salt to create the key, the bos addkey command.

Also, I have learned that `bos listkeys` will only list DES keys, which was
confusing.

If I try to follow docs.openafs.org it is not clear which parts are covered
by afs-newcell, afs-rootvol, etc and should be skipped. I also appreciate
having a simple script to run when setting up a new AFS cell, so I would
like to stick with debian packaging and scripts if possible.

I was able to run the afs-newcell script, I only had to modify my
/etc/hosts to add my FQDN as an alias for 127.0.0.1.

However, running `afs-rootvol` fails:

█[asus][~][0]$ sudo kinit root/admin
Password for root/ad...@asus.erjoalgo.com:
█[asus][~][25]$ sudo aklog -d
Authenticating to cell asus.erjoalgo.com (server asus.erjoalgo.com).
Trying to authenticate to user's realm ASUS.ERJOALGO.COM.
Getting tickets: afs/asus.erjoalgo@asus.erjoalgo.com
We've deduced that we need to authenticate to realm ASUS.ERJOALGO.COM.
Getting tickets: afs/asus.erjoalgo@asus.erjoalgo.com
Getting tickets: a...@asus.erjoalgo.com
Using Kerberos V5 ticket natively
About to resolve name root.admin to id in cell asus.erjoalgo.com.
Id 1
Setting tokens. root.admin @ asus.erjoalgo.com
█[asus][~][16]$ sudo afs-rootvol --requirements-met --server
asus.erjoalgo.com
What partition? [a]

vos create asus.erjoalgo.com a root.cell -localauth
Volume 536870915 created on partition /vicepa of asus.erjoalgo.com
fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw
fs: You don't have the required access rights on '/afs/
asus.erjoalgo.com/.root.afs'
Failed: 256

Root volume setup failed, ABORTING
vos remove asus.erjoalgo.com a root.cell -localauth
Volume 536870915 on partition /vicepa server asus deleted
█[asus][~][0]$ sudo kinit root/admin
Password for root/ad...@asus.erjoalgo.com:
█[asus][~][130]$ sudo aklog
█[asus][~][4]$ sudo afs-rootvol --requirements-met --server
asus.erjoalgo.com  --partition=a

vos create asus.erjoalgo.com a root.cell -localauth
Volume 536870918 created on partition /vicepa of asus.erjoalgo.com
fs sa /afs system:anyuser rl
fs:'/afs': Connection timed out
Failed: 256

Root volume setup failed, ABORTING
vos remove asus.erjoalgo.com a root.cell -localauth
Volume 536870918 on partition /vicepa server asus deleted
█[asus][~][0]$ ls /afs


I don't understand what this means:

fs: You don't have the required access rights on '/afs/
asus.erjoalgo.com/.root.afs'

sudo klist shows that the default principal is the root/admin principal
specified earlier when running afs-newcell:

█[asus][~][130]$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/ad...@asus.erjoalgo.com

Valid starting   Expires  Service principal
06/02/2024 11:43:36  06/02/2024 21:43:36  krbtgt/
asus.erjoalgo@asus.erjoalgo.com
06/02/2024 11:44:32  06/02/2024 21:43:36  a...@asus.erjoalgo.com
█[asus][~][0]$

I also don't understand the connection-timed out:

  fs:'/afs': Connection timed out

I found the error in this post:

https://www.cs.cmu.edu/afs/gco/archive/pipermail/openafs-info/2003-October/011026.html

But I'm not sure I understand the suggested solution that references
bringing up a cache manager. I don't really understand what is going on.
Perhaps it would be better to try to set things up step by step and avoid
the debian scripts.

Ernesto

On Sun, Jun 2, 2024 at 9:12 AM Dirk Heinrichs 
wrote:

> Ernesto Alfonso:
>
> > Now my problem is still understanding why `bos listkeys` now succeeds
> > but returns an empty set when asetkey does list 4 keys.
>
> Because you deleted the wrong key. The AFS principal should be named
> "afs/@".  Just follow the

Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-02 Thread Dirk Heinrichs

Ernesto Alfonso:

Now my problem is still understanding why `bos listkeys` now succeeds 
but returns an empty set when asetkey does list 4 keys.


Because you deleted the wrong key. The AFS principal should be named 
"afs/@".  Just follow the instructions in 
https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating 
the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with 
"/etc/openafs/server", which is used on Debian/Ubuntu, and you should be 
all set.


Also note that if you setup multiple servers, you only need to do the 
kadmin part once, and copy the resulting rxkad.keytab (and probably 
KeyFileExt) to all servers, since the kvno needs to be the same on all 
servers, but exporting the key increases it.


HTH...

    Dirk

--
Dirk Heinrichs 
Matrix-Adresse: @heini:chat.altum.de
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
Privacy Handbuch: https://www.privacy-handbuch.de



OpenPGP_signature.asc
Description: OpenPGP digital signature


Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-02 Thread Ernesto Alfonso
I am a bit paranoid so I redacted part the `asetkey` output with question
marks, here is the actual output, including the keytab list (on debian I
don't seem to have rkt or wkt but I have klist):


█[asus][~][1]$ sudo asetkey list
rxkad_krb5  kvno5 enctype 17; key is:
5eb1d56251abadd918b41843f2246825
rxkad_krb5  kvno5 enctype 18; key is:
d075ab4afb7e5f482b90ec35a8948a3f7838f39b581d49f42c10a554c2bf2955
rxkad_krb5  kvno9 enctype 17; key is:
4282df96efc8b6667fa48e422875728a
rxkad_krb5  kvno9 enctype 18; key is:
a2577e635303819c8b26f303e901d7e662f59101e9a4361c414e77716443fef6
All done.
█[asus][~][0]$ sudo klist -ke /etc/openafs/server/rxkad.keytab
Keytab name: FILE:/etc/openafs/server/rxkad.keytab
KVNO Principal

--
   9 a...@asus.erjoalgo.com (aes256-cts-hmac-sha1-96)
   9 a...@asus.erjoalgo.com (aes128-cts-hmac-sha1-96)
   5 afs/asus.erjoalgo@asus.erjoalgo.com (aes256-cts-hmac-sha1-96)
   5 afs/asus.erjoalgo@asus.erjoalgo.com (aes128-cts-hmac-sha1-96)
█


The reason I have two different key numbers is that I have keys for two
different principals, both a...@asus.erjoalgo.com and afs/
asus.erjoalgo@asus.erjoalgo.com . The latter principal came after
trying to solve the error "bos: ticket contained unknown key version number
error encountered while" and coming across this post below:

https://lists.openafs.org/pipermail/openafs-info/2009-April/031205.html

Which said:

My fault
the principal should be afs/creedon@creedon.biz not a...@creedon.biz
Found it out with aklog -d
Tedc


My actual problem was that I had updated the principal's keys without
re-exporting them to the keytab and importing them into AFS, and doing this
fixed the "ticket contained unknown key version number error" problem.

I could probably remove the afs/asus.erjoalgo@asus.erjoalgo.com key but
it doesn't seem to do any harm. In fact, I have done it:

█[asus][~][130]$ sudo kadmin.local ktrem -k
/etc/openafs/server/rxkad.keytab afs/asus.erjoalgo.com all
Entry for principal afs/asus.erjoalgo.com with kvno 5 removed from
keytab WRFILE:/etc/openafs/server/rxkad.keytab.
Entry for principal afs/asus.erjoalgo.com with kvno 5 removed from
keytab WRFILE:/etc/openafs/server/rxkad.keytab.
█[asus][~][0]$ sudo klist -ke /etc/openafs/server/rxkad.keytab
Keytab name: FILE:/etc/openafs/server/rxkad.keytab
KVNO Principal

--
   9 a...@asus.erjoalgo.com (aes256-cts-hmac-sha1-96)
   9 a...@asus.erjoalgo.com (aes128-cts-hmac-sha1-96)
█[asus][~][130]$ sudo rm /etc/openafs/server/KeyFileExt
█[asus][~][0]$ sudo akeyconvert -all
Wrote 2 keys
█[asus][~][0]$ sudo asetkey list
rxkad_krb5  kvno9 enctype 17; key is:
4282df96efc8b6667fa48e422875728a
rxkad_krb5  kvno9 enctype 18; key is:
a2577e635303819c8b26f303e901d7e662f59101e9a4361c414e77716443fef6
All done.
█[asus][~][0]$ sudo bos listkeys asus.erjoalgo.com -localauth
All done.
█[asus][~][0]$


Now my problem is still understanding why `bos listkeys` now succeeds but
returns an empty set when asetkey does list 4 keys.

Ernesto

On Sun, Jun 2, 2024 at 4:15 AM Dirk Heinrichs 
wrote:

> Ernesto Alfonso:
>
> > sudo asetkey list
> > rxkad_krb5  kvno5 enctype 17; key is:
> > 
> > rxkad_krb5  kvno5 enctype 18; key is:
> > 
> > rxkad_krb5  kvno9 enctype 17; key is:
> > 
> > rxkad_krb5  kvno9 enctype 18; key is:
> > 
>
> I'm a little bit confused about the key version numbers (kvno). They
> should IMHO be the same. Are those question marks the same string for
> the respective enctypes? You could also check the content of your
> keytab, by running "ktutil". In ktutil, read your keytab file using "rkt
> /etc/openafs/server/rxkad.keytab" and then list the keys using the "l"
> (lowercase "L") command. It should list multiple keys, which all have
> the same kvno. If not delete the ones with the lower kvno's, using
> "delent " and save the file using "wkt
> /etc/openafs/server/rxkad.keytab".
>
> HTH...
>
>  Dirk
>
> --
> Dirk Heinrichs 
> Matrix-Adresse: @heini:chat.altum.de
> GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
> Privacy Handbuch: https://www.privacy-handbuch.de
>
>


Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-02 Thread Dirk Heinrichs

Ernesto Alfonso:


sudo asetkey list
    rxkad_krb5      kvno    5 enctype 17; key is: 

    rxkad_krb5      kvno    5 enctype 18; key is: 

    rxkad_krb5      kvno    9 enctype 17; key is: 

    rxkad_krb5      kvno    9 enctype 18; key is: 



I'm a little bit confused about the key version numbers (kvno). They 
should IMHO be the same. Are those question marks the same string for 
the respective enctypes? You could also check the content of your 
keytab, by running "ktutil". In ktutil, read your keytab file using "rkt 
/etc/openafs/server/rxkad.keytab" and then list the keys using the "l" 
(lowercase "L") command. It should list multiple keys, which all have 
the same kvno. If not delete the ones with the lower kvno's, using 
"delent " and save the file using "wkt 
/etc/openafs/server/rxkad.keytab".


HTH...

    Dirk

--
Dirk Heinrichs 
Matrix-Adresse: @heini:chat.altum.de
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
Privacy Handbuch: https://www.privacy-handbuch.de



OpenPGP_signature.asc
Description: OpenPGP digital signature


Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-06-01 Thread Ernesto Alfonso
Thanks for getting back to me, I didn't see your message until now. Also
thanks for the explanation.

I've been able to get a little further by using `-localauth`. However, for
some reason `bos listkeys` now returns an empty list, whereas `asetkey`
does list 4 keys:

█[asus][openafs-1.8.9][1]$ sudo bos listkeys -localauth -server
asus.erjoalgo.com
All done.
█[asus][openafs-1.8.9][0]$ sudo asetkey list
rxkad_krb5  kvno5 enctype 17; key is:

rxkad_krb5  kvno5 enctype 18; key is:

rxkad_krb5  kvno9 enctype 17; key is:

rxkad_krb5  kvno9 enctype 18; key is:

All done.
█[asus][openafs-1.8.9][0]$

But according to this guide, which I have been trying to follow:

https://www.halolinux.us/debian-administration/openafs-installation-on-debian.html

the `bos listkeys` command should return the same keys that were added via
asetkey/akeyconvert.

Using strace and adding some debug logs into the `bos.c` source, I noticed
that it makes an RPC call to UDP port 7007, the process listening there is
`bosserver` invoked as:


█[asus][openafs-1.8.9][0]$ pgrep -af bosserver
75323 /usr/sbin/bosserver -nofork


Looking at `man bosserver` tells me that the bosserver log files are in
/var/log/openafs/BosLog. But unfortunately I don't see anything interesting
in the BosLog:

█[asus][git][0]$ sudo tail -f /var/log/openafs/BosLog
Sat Jun  1 12:46:13 2024: Core limits now -1 -1
Sat Jun  1 12:46:13 2024: Listening on 0.0.0.0:7007
Sat Jun  1 13:54:03 2024: Shutdown of BOS server and processes in
response to signal 15
Sat Jun  1 13:54:03 2024: Server directory access is okay
Sat Jun  1 13:54:03 2024: Core limits now -1 -1
Sat Jun  1 13:54:03 2024: Listening on 0.0.0.0:7007
Sat Jun  1 21:24:42 2024: Shutdown of BOS server and processes in
response to signal 15
Sat Jun  1 21:24:42 2024: Server directory access is okay
Sat Jun  1 21:24:42 2024: Core limits now -1 -1
Sat Jun  1 21:24:42 2024: Listening on 0.0.0.0:7007

I tried restarting the openafs-fileserver service to restart bosserver but
nothing changed.

I guess I will next try to compile bosserver and do some debugging to try
to understand which files it is reading and why it is returning an empty
set of keys despite asetkey reporting 4 keys.

Ernesto


On Wed, May 29, 2024 at 12:56 PM Cheyenne Wills 
wrote:

> Ernesto,
>
> Could you try adding -localauth to the command?
>
>   sudo bos listkeys -server asus.erjoalgo.com -localauth
>
> The bos command is used to manage the openafs servers and requires that
> the user that is issuing the bos command be authenticated to kerberos
> unless the -localauth option is specified.
>
> The messages you are seeing in dmesg are related to the openafs
> cache manager kernel module which is part of the openafs client. The
> bos command does not use the openafs client (cache manager/kernel
> module) for communication to the servers.
>
> --
> Cheyenne Wills
> cwi...@sinenomine.net
>
>
>
> On Tue, 28 May 2024 21:38:01 -0400
> Ernesto Alfonso  wrote:
> > Hello,
> >
> > I'm having trouble setting up openafs on debian bookworm.
> >
> > I've imported kerberos keys into openafs via `akeyconvert -all`:
> >
> > sudo asetkey list
> > rxkad_krb5  kvno4 enctype 17; key is:
> > 
> > rxkad_krb5  kvno4 enctype 18; key is:
> > 
> > All done.
> >
> >
> > I'm now try to use the bos command line, but this fails:
> >
> > $ sudo bos listkeys -server asus.erjoalgo.com
> > bos: unable to build security class (configuring connection
> > security)
> >
> > I have tried building `bos` from source to better understand the
> > context of the error message. I've only narrowed it down to:
> >
> > function afsconf_ClientAuthToken in auth/authcon.c
> > code = ktc_GetTokenEx(info->name, &tokenSet);
> >
> > function ktc_GetTokenEx in auth/ktc.c:
> > code = PIOCTL(0, VIOC_GETTOK2, &iob, 0);
> >
> > This returns a non-zero code, causing the command line to fail.
> >
> > What could be the reason that the PIOCTL command is failing? Is there
> > any way to get more information?
> >
> > I've tried rebuilding the kernel module as suggested here
> > <
> https://unix.stackexchange.com/questions/404247/openafs-suddenly-fails-a-pioctl-failed-while-obtaining-tokens
> >
> > :
> >
> > sudo dpkg-reconfigure openafs-modules-dkms
> >
> > And restarting the openafs-client service, but this does not change
> > anything.
> >
> > I only noticed some bening-looking warnings in dmesg:
> >
> > [   20.377862] systemd-fstab-generator[637]: Checking was
> > requested for "/var/cache/openafs.img", but it is not a device.
> > [   20.676946] systemd[1]:
> >

Re: [OpenAFS] Help setting up openafs on debian bookworm

2024-05-29 Thread Cheyenne Wills
Ernesto,

Could you try adding -localauth to the command?

  sudo bos listkeys -server asus.erjoalgo.com -localauth

The bos command is used to manage the openafs servers and requires that
the user that is issuing the bos command be authenticated to kerberos
unless the -localauth option is specified. 

The messages you are seeing in dmesg are related to the openafs
cache manager kernel module which is part of the openafs client. The
bos command does not use the openafs client (cache manager/kernel
module) for communication to the servers.

-- 
Cheyenne Wills
cwi...@sinenomine.net



On Tue, 28 May 2024 21:38:01 -0400
Ernesto Alfonso  wrote:
> Hello,
> 
> I'm having trouble setting up openafs on debian bookworm.
> 
> I've imported kerberos keys into openafs via `akeyconvert -all`:
> 
> sudo asetkey list
> rxkad_krb5  kvno4 enctype 17; key is:
> 
> rxkad_krb5  kvno4 enctype 18; key is:
> 
> All done.
> 
> 
> I'm now try to use the bos command line, but this fails:
> 
> $ sudo bos listkeys -server asus.erjoalgo.com
> bos: unable to build security class (configuring connection
> security)
> 
> I have tried building `bos` from source to better understand the
> context of the error message. I've only narrowed it down to:
> 
> function afsconf_ClientAuthToken in auth/authcon.c
> code = ktc_GetTokenEx(info->name, &tokenSet);
> 
> function ktc_GetTokenEx in auth/ktc.c:
> code = PIOCTL(0, VIOC_GETTOK2, &iob, 0);
> 
> This returns a non-zero code, causing the command line to fail.
> 
> What could be the reason that the PIOCTL command is failing? Is there
> any way to get more information?
> 
> I've tried rebuilding the kernel module as suggested here
> 
> :
> 
> sudo dpkg-reconfigure openafs-modules-dkms
> 
> And restarting the openafs-client service, but this does not change
> anything.
> 
> I only noticed some bening-looking warnings in dmesg:
> 
> [   20.377862] systemd-fstab-generator[637]: Checking was
> requested for "/var/cache/openafs.img", but it is not a device.
> [   20.676946] systemd[1]:
> /lib/systemd/system/openafs-client.service:22: Unit uses
> KillMode=none. This is unsafe, as it disables systemd's process
> lifecycle management for the service. Please update the service to
> use a safer KillMode=, such as 'mixed' or 'control-group'. Support
> for KillMode=none is deprecated and will eventually be removed.
> [   49.217272] openafs: loading out-of-tree module taints kernel.
> [   49.217278] openafs: module license '
> http://www.openafs.org/dl/license10.html' taints kernel.
> [   49.217987] openafs: module verification failed: signature
> and/or required key missing - tainting kernel
> 
> I don't see anything interesting in the openafs-client service logs
> or in syslog:
> 
> $ sudo journalctl -feu openafs-client
> May 28 09:03:43 asus systemd[1]: Starting openafs-client.service -
> OpenAFS client...
> May 28 09:03:50 asus afsd[1823]: afsd: All AFS daemons started.
> May 28 09:03:50 asus afsd[1787]: afsd: All AFS daemons started.
> May 28 09:03:50 asus systemd[1]: Started openafs-client.service -
> OpenAFS client.
> May 28 09:03:52 asus fs[1827]: Usage: /usr/bin/fs sysname
> [-newsys  sysname>+] [-help]
> May 28 21:11:53 asus systemd[1]: Stopping openafs-client.service -
> OpenAFS client...
> May 28 21:11:54 asus systemd[1]: openafs-client.service:
> Deactivated successfully.
> May 28 21:11:54 asus systemd[1]: Stopped openafs-client.service -
> OpenAFS client.
> May 28 21:11:54 asus systemd[1]: openafs-client.service: Consumed
> 2.957s CPU time.
> May 28 21:11:54 asus systemd[1]: Starting openafs-client.service -
> OpenAFS client...
> May 28 21:11:56 asus afsd[275229]: afsd: All AFS daemons started.
> May 28 21:11:56 asus afsd[275250]: afsd: All AFS daemons started.
> May 28 21:11:56 asus fs[275253]: Usage: /usr/bin/fs sysname
> [-newsys +] [-help]
> May 28 21:11:56 asus systemd[1]: Started openafs-client.service -
> OpenAFS client.
> 
> How can I further debug this bos error?
> 
> openafs 1.8.9-1-debian
> 
> $ sudo lsmod  | grep openafs
> openafs  2863104  2
> $
> 
> Ernesto

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info