[OpenAFS] Debian - openafs -noauth problems
Sergio Gelato
Sergio.Gelato@astro.su.se
Mon, 15 Aug 2005 20:26:20 +0200
* Madhusudan Singh [2005-08-15 13:26:45 -0400]:
> My /etc/openafs/server/KeyFile was generated using asetkey from the supplied
> keytab.
>
> How do I check what is going on there ?
"asetkey list", or use Heimdal's ktutil (package heimdal-clients):
ktutil -k AFSKEYFILE:/etc/openafs/server/KeyFile list
But note that the latter fills in some information from other sources
(and the Debian 3.1 version looks for krb.conf in /etc/openafs/etc,
strace tells me; so don't take the ktutil output too seriously).
> Further, if I am able to authenticate and obtain tickets, should it not just
> work from there on ?
The key used by the KDC in issuing the ticket needs to be one that the
service will accept. You don't know whether that's the case until you
actually present the ticket/token to the service for authentication.
> My /etc/krb5.conf :
[looks fine]
> You were making a reference to the enctypes earlier. Could above be a part of
> the reason for my inability to work on the filesystem ?
No. That list of permitted enctypes was fine. What is required (for now)
is that the KDC always use a single-DES key when issuing AFS service
tickets, since AFS doesn't support anything else. That's done in kadmin,
by deleting unwanted enctypes from the AFS service key (and from that
key alone; you most definitely should use stronger ciphers whenever
possible). But since --- as you showed us --- your AFS tickets are
single-DES, your problem lies elsewhere.
> > would not show up using -localauth but only when using token-based
> > authentication; which means you can test it by issuing some vos commands
> > on your server, both with -localauth and using an administrator's tokens.
> > "vos create" and "vos remove" should be adequate for this test.
> > A difference between "fs setacl /afs" and "vos create" is that the
> > latter doesn't involve the /afs mount point; that should help draw
> > the line between authentication on the one hand and afsd issues on the
> > other.
>
> vos commands did work for me when I created the partition. But I believe that
> I issued them while running bos under -noauth. Could that have caused these
> problems ?
Caused? No. Hidden? Yes, but then -localauth would hide them too.
> omega:/etc# cat /etc/openafs/server/UserList
> cat: /etc/openafs/server/UserList: No such file or directory
>
> Hmm.
Indeed. "bos adduser omega <adminname> -localauth" should fix it.
Hopefully that was your only remaining problem.