[OpenAFS] Newbie Question
Steve Devine
sd@msu.edu
Fri, 02 May 2008 10:50:01 -0400
Gary Bowling wrote:
>
> I'm a newbie to AFS, but have been an "IT guy" for a long time. Trying
> to set this up in a lab to test to gain understanding of how to use
> for one of my customers.
>
> My server is CentOS 5 and I'm almost there, but stuck at the every
> end. Here's what I've done and where I'm stuck.
>
> - Installed all the appropriate kerberos and openafs tools via the rpm
> repository, openafs version is 1.4.6.
>
> - Set up krb5.conf as follows:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = GBCO.US
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> GBCO.US = {
> kdc = kerberos.gbco.us:88
> admin_server = kerberos.gbco.us:749
> default_domain = gbco.us
> }
>
> [domain_realm]
> .gbco.us = GBCO.US
> gbco.us = GBCO.US
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> afs_krb5 = {
> GBCO.US = {
> afs/GBCO.US = false
> afs = false
> }
> }
>
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
> - set up /var/kerberos/krb5kdc/kdc.conf as follows:
> [kdcdefaults]
> v4_mode = nopreauth
> kdc_tcp_ports = 88
>
> [realms]
> GBCO.US = {
> #master_key_type = des3-hmac-sha1
> master_key_type = des-cbc-crc
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-cr
> c:normal des-cbc-crc:v4 des-cbc-crc:afs3
> }
>
> - Set up /etc/pam.d/login and added the following line:
>
> auth sufficient /usr/lib/security/pam_afs.so
> try_first_pass ignore_root
>
> - Ran kadmin.local -q "addprinc -randkey afs" - success!
>
> - Ran kadmin.local -q "ktadd -e des-cbc-crc:afs3 afs" - Success! with
> kvno number 3
>
> - Ran asetkey add 3 /etc/krb5.keytab afs - Success!
>
> - Edited /etc/sysconfig/openafs and added the BOSSERVER_ARGS=-noauth
> line and started openafs-server - Success!
>
> - Ran bos setcellname localhost gbco.us -noauth - Success and bos
> listhosts localhost -noauth returns the cell name gbco.us and hostname
> homepc.gbco.us which are both correct.
>
> - Ran bos create -server homepc.gbco.us -instance ptserver -type
> simple -cmd /usr/afs/bin/ptserver -cell gbco.us -noauth - Success!
>
> - Ran kadmin.local -q "addprinc admin" - Success!
>
> - Ran bos adduser homepc.gbco.us admin -cell gbco.us -noauth - Success
>
> - Ran bos listkeys homepc.gbco.us -cell gbco.us -noauth - All looks
> good as follows.
> key 3 has cksum 2318139578
> Keys last changed on Fri May 2 07:21:18 2008.
> All done.
>
> - Ran pts createuser -name admin -cell gbco.us -noauth - Success!
>
> - Ran pts adduser admin system:administrators -cell gbco.us -noauth -
> success
>
> - Ran pts membership admin -cell gbco.us -noauth - Looks good with the
> following results.
> Groups admin (id: 1) is a member of:
> system:administrators
>
> - Ran bos create -server homepc.gbco.us -instance fs -type fs -cmd
> /usr/afs/bin/fileserver -cmd /usr/afs/bin/volserver -cmd
> /usr/afs/bin/salvager -cell gbco.us -noauth - Success!
>
> - Ran bos create -server homepc.gbco.us -instance vlserver -type
> simple -cmd /usr/afs/bin/vlserver -cell gbco.us -noauth - Success!
>
> -Ran bos create -server homepc.gbco.us -instance buserver -type simple
> -cmd /usr/afs/bin/buserver -cell gbco.us -noauth - Success!
>
> - Created /vicepa mount point and mounted - looks good.
>
> - Ran vos create -server homepc.gbco.us -partition /vicepa -name
> root.afs -cell gbco.us -noauth - Success!
>
> - Ran bos status homepc.gbco.us fs -long -noauth - Looks good with the
> following results..
> Instance fs, (type is fs) currently running normally.
> Auxiliary status is: file server running.
> Process last started at Fri May 2 09:25:37 2008 (2 proc starts)
> Command 1 is '/usr/afs/bin/fileserver'
> Command 2 is '/usr/afs/bin/volserver'
> Command 3 is '/usr/afs/bin/salvager'
>
> - Edited /etc/sysconfig/openafs and removed the "-noauth" - restarted
> openafs-server in normal mode requiring authentication.
>
> - Started client
>
> - Ran kinit admin - put in pass - Success!
>
> - Ran klist - with the following results:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin@GBCO.US
>
> Valid starting Expires Service principal
> 05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/GBCO.US@GBCO.US
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> - Ran aklog - Success!
>
> - Ran tokens with the following results
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for afs@gbco.us [Expires May 3 09:34]
> --End of list--
>
> - Ran klist again and get
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin@GBCO.US
>
> Valid starting Expires Service principal
> 05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/GBCO.US@GBCO.US
> 05/02/08 09:35:38 05/03/08 09:34:21 afs@GBCO.US
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> - Ran fs checkvolumes - with the following results.
> All volumeID/name mappings checked.
>
> - Ran fs setacl /afs system:anyuser rl - Received the following error...
> fs: You don't have the required access rights on '/afs'
>
> I've done a number of subsequent things in kadmin and other places,
> but am at a loss as to how to resolve. Any help would be appreciated.
>
> Thanks,
> Gary
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
Got admin in /usr/afs/etc/UserList ?
--
Steve Devine
E-Mail & Storage
Academic Techical Services
Michigan State University
313 Computer Center
East Lansing, MI 48824-1042
1-517-432-7327
Baseball is ninety percent mental; the other half is physical.
- Yogi Berra