[OpenAFS] Newbie Question

Sergio Gelato Sergio.Gelato@astro.su.se
Fri, 2 May 2008 18:42:48 +0200 

* Steve Devine [2008-05-02 10:50:01 -0400]:
> Gary Bowling wrote:
> >   [realms]
> >    GBCO.US = {
> >     #master_key_type = des3-hmac-sha1
> >     master_key_type = des-cbc-crc

(Aside: why downgrade to single-DES here?)

> >- Edited /etc/sysconfig/openafs and added the BOSSERVER_ARGS=-noauth 
> >line and started openafs-server - Success!
> >
> >- Ran bos setcellname localhost gbco.us -noauth - Success and bos 
> >listhosts localhost -noauth returns the cell name gbco.us and hostname 
> >homepc.gbco.us which are both correct.
> >
> >- Ran bos create -server homepc.gbco.us -instance ptserver -type 
> >simple -cmd /usr/afs/bin/ptserver -cell gbco.us  -noauth - Success!
> >
> >- Ran kadmin.local -q "addprinc admin" - Success!
> >
> >- Ran bos adduser homepc.gbco.us admin -cell gbco.us -noauth - Success

I think that one should answer Steve Devine's question.
> >
> >- Ran bos listkeys homepc.gbco.us -cell gbco.us -noauth - All looks 
> >good as follows.
> >   key 3 has cksum 2318139578
> >   Keys last changed on Fri May  2 07:21:18 2008.
> >   All done.
> >
> >- Ran pts createuser -name admin -cell gbco.us -noauth - Success!
> >
> >- Ran pts adduser admin system:administrators -cell gbco.us -noauth - 
> >success

Unless I'm mistaken you could restart bos without -noauth already at
this point. Doing so would expose authentication issues early,
separating them from the question of whether /afs is writeable to
an administrator (if you started your client with -dynroot it won't
be).

> >- Ran pts membership admin -cell gbco.us -noauth - Looks good with the 
> >following results.
> >   Groups admin (id: 1) is a member of:
> >     system:administrators
> >
> >- Ran  bos create -server homepc.gbco.us -instance fs -type fs -cmd 
> >/usr/afs/bin/fileserver -cmd /usr/afs/bin/volserver -cmd 
> >/usr/afs/bin/salvager -cell gbco.us -noauth - Success!
> >
> >- Ran bos create -server homepc.gbco.us -instance vlserver -type 
> >simple -cmd /usr/afs/bin/vlserver -cell gbco.us -noauth - Success!
> >
> >-Ran bos create -server homepc.gbco.us -instance buserver -type simple 
> >-cmd /usr/afs/bin/buserver -cell gbco.us -noauth - Success!
> >
> >- Created /vicepa mount point and mounted - looks good.
> >
> >- Ran vos create -server homepc.gbco.us -partition /vicepa -name 
> >root.afs -cell gbco.us -noauth - Success!
> >
> >- Ran bos status homepc.gbco.us fs -long -noauth - Looks good with the 
> >following results..
> >   Instance fs, (type is fs) currently running normally.
> >       Auxiliary status is: file server running.
> >       Process last started at Fri May  2 09:25:37 2008 (2 proc starts)
> >       Command 1 is '/usr/afs/bin/fileserver'
> >       Command 2 is '/usr/afs/bin/volserver'
> >       Command 3 is '/usr/afs/bin/salvager'
> >
> >- Edited /etc/sysconfig/openafs and removed the "-noauth" - restarted 
> >openafs-server in normal mode requiring authentication.
> >
> >- Started client
> >
> >- Ran kinit admin - put in pass - Success!
> >
> >- Ran klist - with the following results:
> >   Ticket cache: FILE:/tmp/krb5cc_0
> >   Default principal: admin@GBCO.US
> >
> >   Valid starting     Expires            Service principal
> >   05/02/08 09:34:21  05/03/08 09:34:21  krbtgt/GBCO.US@GBCO.US
> >
> >   Kerberos 4 ticket cache: /tmp/tkt0
> >   klist: You have no tickets cached
> >
> >- Ran aklog - Success!
> >
> >- Ran tokens with the following results
> >   Tokens held by the Cache Manager:
> >
> >   User's (AFS ID 1) tokens for afs@gbco.us [Expires May  3 09:34]
> >      --End of list--
> >
> >- Ran klist again and get
> >   Ticket cache: FILE:/tmp/krb5cc_0
> >   Default principal: admin@GBCO.US
> >
> >   Valid starting     Expires            Service principal
> >   05/02/08 09:34:21  05/03/08 09:34:21  krbtgt/GBCO.US@GBCO.US
> >   05/02/08 09:35:38  05/03/08 09:34:21  afs@GBCO.US
> >
> >   Kerberos 4 ticket cache: /tmp/tkt0
> >   klist: You have no tickets cached
> >
> >- Ran  fs checkvolumes - with the following results.
> >   All volumeID/name mappings checked.
> >
> >- Ran fs setacl /afs system:anyuser rl - Received the following error...
> >fs: You don't have the required access rights on '/afs'

Are you using -dynroot on the client by any chance?

> >I've done a number of subsequent things in kadmin and other places, 
> >but am at a loss as to how to resolve. Any help would be appreciated.

With -dynroot the way to manipulate root.afs is to first create and set
up root.cell (which will automatically appear at /afs/.gbco.us, at least
if your client-side CellServDB is properly set up), then mount root.afs
somewhere under it, set it up and unmount it. Alternatively, you could
run your client without -dynroot while you set up root.afs.