[OpenAFS] newbie OpenAFS troubles
Rohit Kumar Mehta
rohitm@engr.uconn.edu
Mon, 27 Oct 2003 14:48:13 -0500
Hi guys, I am trying to set up an OpenAFS server with Debian (woody).
The Debian machine has been successfully configured as kerberos client and
we have a Windows 2000 Active Directory KDC. This was tested with kinit,
kpasswd, kerberized ssh, telnet, ftp, etc.
The following packages are installed on the system:
afs-test:/home/ro# dpkg -l |egrep "afs|krb"
ii krb5-admin-ser 1.2.4-5woody4 Mit Kerberos master server (kadmind)
ii krb5-clients 1.2.4-5woody4 Secure replacements for ftp, telnet
and rsh
ii krb5-config 1.4 Configuration files for Kerberos Version 5
ii krb5-doc 1.2.4-5woody4 Documentation for krb5
ii krb5-ftpd 1.2.4-5woody4 Secure FTP server supporting MIT Kerberos
ii krb5-kdc 1.2.4-5woody4 Mit Kerberos key server (KDC)
ii krb5-rsh-serve 1.2.4-5woody4 Secure replacements for rshd and
rlogind us
ii krb5-telnetd 1.2.4-5woody4 Secure telnet server supporting MIT
Kerberos
ii krb5-user 1.2.4-5woody4 Basic programs to authenticate using
MIT Ker
ii libkrb5-dev 1.2.4-5woody4 Headers and development libraries for
MIT Ke
ii libkrb53 1.2.4-5woody4 MIT Kerberos runtime libraries
ii libpam-krb5 1.0-7 PAM module for MIT Kerberos
ii openafs-client 1.2.3final2-6 The AFS distributed filesystem- client
suppo
ii openafs-dbserv 1.2.3final2-6 The AFS distributed filesystem-
database ser
ii openafs-filese 1.2.3final2-6 The AFS distributed filesystem- file
server
ii openafs-krb5 1.3-8 The AFS distributed filesystem-
Kerberos 5 I
ii openafs-module 1.2.3final2-6+ The AFS distributed filesystem- Kernel
Modul
ii openafs-module 1.2.3final2-6 The AFS distributed filesystem- Module
Sourc
ii ssh-krb5 3.4p1-0woody4 Secure rlogin/rsh/rcp replacement
(OpenSSH w
The following is the contents of krb5.conf:
[libdefaults]
default_realm = AD.ENGR.UCONN.EDU
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
des-cbc-crc
[appdefaults]
kinit = {
forwardable = true
}
telnet = {
forward = true
encrypt = true
autologin = true
}
rlogin = {
allow_fallback = false
}
[realms]
AD.ENGR.UCONN.EDU = {
kdc = SHIRE.AD.ENGR.UCONN.EDU
admin_server = SHIRE.AD.ENGR.UCONN.EDU
}
[domain_realm]
ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
.ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
engr.uconn.edu = AD.ENGR.UCONN.EDU
.engr.uconn.edu = AD.ENGR.UCONN.EDU
I configured openafs-client to assign the machine to the engr.uconn.edu
cell, and prepended the following lines
to /etc/openafs/CellSrvDB:
>engr.uconn.edu #School of Engineering
137.99.21.2 #afs-test.engr.uconn.edu
A principle, afs/engr.uconn.edu@AD.ENGR.UCONN.EDU, was created in the
Active Directory, and the keytab
was installed in the AFS server with the asetkey command. AFS was
configured with the Debian package install scripts
and everthing seems ok past the "afs-newcell" script.
Mount shows me that I have an afs filesystem somewhere.
afs-test:~# mount
/dev/hda2 on / type ext3 (rw,errors=remount-ro)
proc on /proc type proc (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/var/lib/openafs/vicepa on /vicepa type ext2 (rw,loop=/dev/loop0)
AFS on /afs type afs (rw)
However because I cannot get the following to work I cannot proceed to
setup root.afs:
afs-test:/ad# aklog -d engr.uconn.edu -k AD.ENGR.UCONN.EDU
Authenticating to cell engr.uconn.edu (server afs-test.engr.uconn.edu).
We were told to authenticate to realm AD.ENGR.UCONN.EDU.
Getting tickets: afs/engr.uconn.edu@AD.ENGR.UCONN.EDU
Kerberos error code returned by get_cred: -1765328228
aklog: Couldn't get engr.uconn.edu AFS tickets:
aklog: Cannot contact any KDC for requested realm while getting AFS tickets
I'm not really sure what is wrong here, and I would appreciate anyone
being able to
steer me in the right direction.
Many thanks,
Rohit Kumar Mehta