[OpenAFS] Debian - openafs -noauth problems
Madhusudan Singh
singh.madhusudan@gmail.com
Mon, 15 Aug 2005 13:26:45 -0400
Hi
Thanks for your patience.
On Monday 15 August 2005 12:44 pm, Sergio Gelato wrote:
> * Madhusudan Singh [2005-08-15 11:26:16 -0400]:
> > On Saturday 13 August 2005 7:41 am, Sergio Gelato wrote:
> > > * Madhusudan Singh [2005-08-12 15:34:14 -0400]:
> > > > Tokens held by the Cache Manager:
> > > >
> > > > User's (AFS ID 2) tokens for afs@omega.domain.edu [Expires Aug 13
> > > > 01:18]
>
> Would that be omega.eecs.umich.edu ?
>
It might have been so a year ago, but no, not today.
> > omega:~# head -1 /etc/openafs/server/krb.conf
> > KERBEROS.DOMAIN.EDU
>
> So you say it checks out.
I guess so.
>
> Did you also check the consistency of the KDC's view of things (key, kvno)
> with the contents of your own KeyFile ? Any discrepancy at that level
My /etc/openafs/server/KeyFile was generated using asetkey from the supplied
keytab.
How do I check what is going on there ?
Further, if I am able to authenticate and obtain tickets, should it not just
work from there on ?
My /etc/krb5.conf :
[logging]
default = FILE:/var/log/krb5libs.org
[libdefaults]
default_realm = KERBEROS.DOMAIN.EDU
krb5_config = /etc/krb.conf
krb5_realms = /etc/krb.realms
forwardable = true
proxiable = true
noaddresses = true
default_keytab_name = FILE:/etc/krb5.keytab
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
You were making a reference to the enctypes earlier. Could above be a part of
the reason for my inability to work on the filesystem ?
> would not show up using -localauth but only when using token-based
> authentication; which means you can test it by issuing some vos commands
> on your server, both with -localauth and using an administrator's tokens.
> "vos create" and "vos remove" should be adequate for this test.
> A difference between "fs setacl /afs" and "vos create" is that the
> latter doesn't involve the /afs mount point; that should help draw
> the line between authentication on the one hand and afsd issues on the
> other.
vos commands did work for me when I created the partition. But I believe that
I issued them while running bos under -noauth. Could that have caused these
problems ?
Should I then recreate root.afs on /vicepa while authenticated as the admin ?
If so, how do I delete that volume first ?
>
> You should also dump your pts database with pt_util, and make sure
> it's correct. I have:
>
omega:/etc# pt_util -p /var/lib/openafs/db/prdb.DB0 -m
Ubik Version is: 2103638850.67108864
system:backup 2/0 -205 -204 -204
system:administrators 130/20 -204 -204 -204
<adminname> 2
system:ptsviewers 2/0 -203 -204 -204
system:authuser 2/0 -102 -204 -204
system:anyuser 2/0 -101 -204 -204
where <adminname> is the name of the admin here.
omega:/etc# cat /etc/openafs/server/UserList
cat: /etc/openafs/server/UserList: No such file or directory
Hmm.
> If none of this yields any clues, then I'm not sure what to do. Wipe out
> the entire openafs-*server configuration and redo it from scratch may be
> part of the answer; you'll probably end up with a working cell but we
> won't know exactly what went wrong the first time.
"Keep rebooting windows until it works" type of solution is not one I want to
go for.