[OpenAFS] Debian - openafs -noauth problems
Sergio Gelato
Sergio.Gelato@astro.su.se
Fri, 12 Aug 2005 19:00:12 +0200
* Madhusudan Singh [2005-08-12 10:47:00 -0400]:
> > Why not follow the /usr/sbin/afs-newcell script that comes with Debian's
> > openafs-dbserver package? It's rumoured to have some problems, but they
> > are worth reporting. (See below.)
>
> I am trying to get a feel of how the whole thing works, so I would like to get
> a working configuration by hand first. .
That's OK, but by "follow" I didn't necessarily mean "run". One can also
read the script as documentation and type in the commands by hand.
> > One aspect that I found to be insufficiently documented is the need to
> > write your realm name in /etc/openafs/server/krb.conf . It's been
>
> Isn't krb.conf supposed to be present in /etc instead (I have it present
> there, and authentication seems to be "working" (read on)) ?
Covered in the mailing list archives. If you have an /etc/krb.conf on
your server for other reasons (generic Kerberos 4 support, presumably,
but that's getting out of fashion) and the realm for your cell is the
first one listed in that file, then indeed you don't need a separate
krb.conf in /etc/openafs/server.
> Then aklog worked. I then reestablished the firewall and opened TCP and UDP
> ports 88, 749, 750, and 751. Now kinit worked but aklog did not. That is
> where it stands from an authentication standpoint right now. Any idea which
> ports need to be open for aklog ?
4444 (krb524d), most probably. You can strace aklog to find out for sure.
And of course you'll want to open some of UDP 7000-7011 for AFS itself;
especially 7001 inbound, since callbacks can occur a long time after any
outbound AFS traffic from your host so that even stateful firewalls can have
trouble with them.
Note that these are client-side requirements (you asked about aklog);
the optimal firewall settings for a server will be different.
> # fs setacl /afs system:anyuser rl
>
> Now /afs is located on /, not /vicepa (Debian install set /afs up that way).
/afs is a mount point. You need the AFS client to be running in order
for the fs command to work.
> Since /afs is not located in root.afs on /vicepa, why would I even want to or
> be able to grant access rights to that (speaking as an afs administrator).
> But if memory serves me right, the server partitions are usually mounted
> under /afs. So, do I set a soft link ? Like ln -s /vicepa /afs ?
No, no, no. Just run
/etc/init.d/openafs-client force-start
if it isn't already running. (I think it is. "pgrep -fl afsd" will tell.)
> Sure enough the above command leads to the following error :
>
> fs: You don't have the required access rights on '/afs'
Check your tokens. Note that this is exactly the symptom I had when I
was missing a krb.conf file. Other related symptoms included pts
subcommands failing unless they were invoked with -noauth.
Did you restart bosserver without -noauth, by the way? At this stage
you want to have full authentication support.
> I am logged in as root with zzz's kerberos credentials (that ought to be
> the combination with the highest access privileges on this new system). What
> do you think is going on ?
>
> omega:/# ls -ltr / | grep "afs"
> drwxrwxrwx 2 root root 2048 2005-08-10 11:11 afs
>
> omega:/# id
> uid=0(root) gid=0(root) groups=0(root)
tokens? (And you could at least set up a PAG with pagsh; no need for
*every* daemon on your system to have administrative access to your AFS
cell while you are working.)
> omega:/# ls -ltr /afs
> ls: /afs: Permission denied
>
> Thanks.
>
> PS : How about creating an openafscellnotequaltokerberosrealm wiki on
> Wikipedia ?
There isn't that much to know: the AFS service principal obviously had
better have the cell name as instance, and the cell->realm mapping needs
to be configured (krb.conf). Maybe that can fit on an existing page of
the AFS wiki? I looked for that information in the FAQ.