[OpenAFS] Newbie Question
Gary Bowling
gb@gbco.us
Fri, 02 May 2008 09:41:24 -0500
I'm a newbie to AFS, but have been an "IT guy" for a long time. Trying
to set this up in a lab to test to gain understanding of how to use for
one of my customers.
My server is CentOS 5 and I'm almost there, but stuck at the every end.
Here's what I've done and where I'm stuck.
- Installed all the appropriate kerberos and openafs tools via the rpm
repository, openafs version is 1.4.6.
- Set up krb5.conf as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = GBCO.US
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
GBCO.US = {
kdc = kerberos.gbco.us:88
admin_server = kerberos.gbco.us:749
default_domain = gbco.us
}
[domain_realm]
.gbco.us = GBCO.US
gbco.us = GBCO.US
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
afs_krb5 = {
GBCO.US = {
afs/GBCO.US = false
afs = false
}
}
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
- set up /var/kerberos/krb5kdc/kdc.conf as follows:
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
GBCO.US = {
#master_key_type = des3-hmac-sha1
master_key_type = des-cbc-crc
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-cr
c:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
- Set up /etc/pam.d/login and added the following line:
auth sufficient /usr/lib/security/pam_afs.so try_first_pass
ignore_root
- Ran kadmin.local -q "addprinc -randkey afs" - success!
- Ran kadmin.local -q "ktadd -e des-cbc-crc:afs3 afs" - Success! with
kvno number 3
- Ran asetkey add 3 /etc/krb5.keytab afs - Success!
- Edited /etc/sysconfig/openafs and added the BOSSERVER_ARGS=-noauth
line and started openafs-server - Success!
- Ran bos setcellname localhost gbco.us -noauth - Success and bos
listhosts localhost -noauth returns the cell name gbco.us and hostname
homepc.gbco.us which are both correct.
- Ran bos create -server homepc.gbco.us -instance ptserver -type simple
-cmd /usr/afs/bin/ptserver -cell gbco.us -noauth - Success!
- Ran kadmin.local -q "addprinc admin" - Success!
- Ran bos adduser homepc.gbco.us admin -cell gbco.us -noauth - Success
- Ran bos listkeys homepc.gbco.us -cell gbco.us -noauth - All looks good
as follows.
key 3 has cksum 2318139578
Keys last changed on Fri May 2 07:21:18 2008.
All done.
- Ran pts createuser -name admin -cell gbco.us -noauth - Success!
- Ran pts adduser admin system:administrators -cell gbco.us -noauth -
success
- Ran pts membership admin -cell gbco.us -noauth - Looks good with the
following results.
Groups admin (id: 1) is a member of:
system:administrators
- Ran bos create -server homepc.gbco.us -instance fs -type fs -cmd
/usr/afs/bin/fileserver -cmd /usr/afs/bin/volserver -cmd
/usr/afs/bin/salvager -cell gbco.us -noauth - Success!
- Ran bos create -server homepc.gbco.us -instance vlserver -type simple
-cmd /usr/afs/bin/vlserver -cell gbco.us -noauth - Success!
-Ran bos create -server homepc.gbco.us -instance buserver -type simple
-cmd /usr/afs/bin/buserver -cell gbco.us -noauth - Success!
- Created /vicepa mount point and mounted - looks good.
- Ran vos create -server homepc.gbco.us -partition /vicepa -name
root.afs -cell gbco.us -noauth - Success!
- Ran bos status homepc.gbco.us fs -long -noauth - Looks good with the
following results..
Instance fs, (type is fs) currently running normally.
Auxiliary status is: file server running.
Process last started at Fri May 2 09:25:37 2008 (2 proc starts)
Command 1 is '/usr/afs/bin/fileserver'
Command 2 is '/usr/afs/bin/volserver'
Command 3 is '/usr/afs/bin/salvager'
- Edited /etc/sysconfig/openafs and removed the "-noauth" - restarted
openafs-server in normal mode requiring authentication.
- Started client
- Ran kinit admin - put in pass - Success!
- Ran klist - with the following results:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@GBCO.US
Valid starting Expires Service principal
05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/GBCO.US@GBCO.US
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
- Ran aklog - Success!
- Ran tokens with the following results
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@gbco.us [Expires May 3 09:34]
--End of list--
- Ran klist again and get
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@GBCO.US
Valid starting Expires Service principal
05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/GBCO.US@GBCO.US
05/02/08 09:35:38 05/03/08 09:34:21 afs@GBCO.US
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
- Ran fs checkvolumes - with the following results.
All volumeID/name mappings checked.
- Ran fs setacl /afs system:anyuser rl - Received the following error...
fs: You don't have the required access rights on '/afs'
I've done a number of subsequent things in kadmin and other places, but
am at a loss as to how to resolve. Any help would be appreciated.
Thanks,
Gary