[OpenAFS] IPA + OpenAFS
Qing Chang
qchang@sri.utoronto.ca
Thu, 12 Jul 2012 11:16:55 -0400
This is a multi-part message in MIME format.
--------------020309040106010205050806
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Greetings,
As recommended, you should create an AFS service principal as afs/DOMAIN@REALM,
eg, afs/sri.utoronto.ca. IPA does not allow a service principal to be created if there is
no corresponding host principal. Hence, I have to have this: afs/openafs.sri.utoronto.ca,
where openafs.sri.utoronto.ca is the FQDN of the server. OpenAFS seems to be happy
with this, and by following the quick-start guide I have setup the first server on my
RHEL 6.3 server. Now I am at "Configuring the Top Levels of the AFS Filespace", after kinit and aklog,
this fails:
[root@smb1 ~]# fs setacl /afs system:anyuser rl
fs: You don't have the required access rights on '/afs'
I found this thread:
http://lists.openafs.org/pipermail/openafs-info/2008-December/030552.html
which says that I have to create a keyfile with des-cbc-crc:v4 salt, after
some struggle with IPA I finally created the keyfile with des-cbc-crc:v4.
It did not help, I still get the same error.
=====
[root@smb1 ~]# bos status smb1
Instance buserver, currently running normally.
Instance ptserver, currently running normally.
Instance vlserver, currently running normally.
Instance dafs, currently running normally.
Auxiliary status is: file server running.
Instance upserver, currently running normally.
[root@smb1 ~]# kinit admin
[root@smb1 ~]# aklog -d
Authenticating to cell openafs.sri.utoronto.ca (server smb1.sri.utoronto.ca).
Trying to authenticate to user's realm SRI.UTORONTO.CA.
Getting tickets: afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA
Using Kerberos V5 ticket natively
About to resolve name admin to id in cell openafs.sri.utoronto.ca.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 @ openafs.sri.utoronto.ca
[root@smb1 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@SRI.UTORONTO.CA
Valid starting Expires Service principal
07/12/12 10:56:17 07/13/12 10:56:10 krbtgt/SRI.UTORONTO.CA@SRI.UTORONTO.CA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
07/12/12 10:56:29 07/13/12 10:56:10 afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA
Etype (skey, tkt): des-cbc-crc, des-cbc-crc
[root@smb1 ~]# fs setacl /afs system:anyuser rl
fs: You don't have the required access rights on '/afs'
=====
All logs seem OK except this:
[root@smb1 ~]# cat /usr/afs/logs/FileLog
Wed Jul 11 15:45:27 2012 File server starting (/usr/afs/bin/dafileserver)
Wed Jul 11 15:45:27 2012 afs_krb_get_lrealm failed, using openafs.sri.utoronto.ca.
Wed Jul 11 15:45:30 2012 VL_RegisterAddrs rpc failed; will retry periodically (code=5376, err=0)
Wed Jul 11 15:45:30 2012 VLRU: starting scanner with the following configuration parameters:
Wed Jul 11 15:45:30 2012 VLRU: offlining volumes after minimum of 7200 seconds of inactivity
Wed Jul 11 15:45:30 2012 VLRU: running VLRU soft detach pass every 120 seconds
Wed Jul 11 15:45:30 2012 VLRU: taking up to 8 volumes offline per pass
Wed Jul 11 15:45:30 2012 VLRU: scanning generation 0 for inactive volumes every 900 seconds
Wed Jul 11 15:45:30 2012 VLRU: scanning for promotion/demotion between generations 0 and 1 every 14400 seconds
Wed Jul 11 15:45:30 2012 VLRU: scanning for promotion/demotion between generations 1 and 2 every 28800 seconds
Wed Jul 11 15:45:30 2012 Set thread id 3 for FSYNC_sync
Wed Jul 11 15:45:30 2012 VInitVolumePackage: beginning parallel fileserver startup
Wed Jul 11 15:45:30 2012 VInitVolumePackage: using 1 threads to pre-attach volumes on 1 partitions
Wed Jul 11 15:45:30 2012 Scanning partitions on thread 1 of 1
Wed Jul 11 15:45:30 2012 Partition /vicepa: pre-attaching volumes
Wed Jul 11 15:45:30 2012 Partition scan thread 1 of 1 ended
Wed Jul 11 15:45:30 2012 fs_stateRestore: commencing fileserver state restore
Wed Jul 11 15:45:30 2012 fs_stateRestore: host table restored
Wed Jul 11 15:45:30 2012 fs_stateRestore: FileEntry and CallBack tables restored
Wed Jul 11 15:45:30 2012 fs_stateRestore: host table indices remapped
Wed Jul 11 15:45:30 2012 fs_stateRestore: FileEntry and CallBack indices remapped
Wed Jul 11 15:45:30 2012 fs_stateRestore: restore phase complete
Wed Jul 11 15:45:30 2012 fs_stateRestore: beginning state verification phase
Wed Jul 11 15:45:30 2012 fs_stateRestore: fileserver state verification complete
Wed Jul 11 15:45:30 2012 fs_stateRestore: restore was successful
Wed Jul 11 15:45:30 2012 Getting FileServer name...
Wed Jul 11 15:45:30 2012 FileServer host name is 'smb1.sri.utoronto.ca'
Wed Jul 11 15:45:30 2012 Getting FileServer address...
Wed Jul 11 15:45:30 2012 Set thread id 0000000000000010 for 'HostCheckLWP'
Wed Jul 11 15:45:30 2012 FileServer smb1.sri.utoronto.ca has address x.x.x.x
Wed Jul 11 15:45:30 2012 File Server started Wed Jul 11 15:45:30 2012
Wed Jul 11 15:45:30 2012 Set thread id 000000000000000B for 'FiveMinuteCheckLWP'
Wed Jul 11 15:45:30 2012 Set thread id 000000000000000C for 'FsyncCheckLWP'
Thanks,
Qing
--------------020309040106010205050806
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Greetings,<br>
<br>
As recommended, you should create an AFS service principal as
afs/DOMAIN@REALM,<br>
eg, afs/sri.utoronto.ca. IPA does not allow a service principal to
be created if there is<br>
no corresponding host principal. Hence, I have to have this:
afs/openafs.sri.utoronto.ca,<br>
where openafs.sri.utoronto.ca is the FQDN of the server. OpenAFS
seems to be happy <br>
with this, and by following the quick-start guide I have setup the
first server on my <br>
RHEL 6.3 server. Now I am at "<small><small>Configuring the Top
Levels of the AFS Filespace</small></small>", after kinit and
aklog,<br>
this fails:<br>
[root@smb1 ~]# fs setacl /afs
system:anyuser rl
<br>
fs: You don't have the required access rights on '/afs'
<br>
<br>
I found this thread:
<pre wrap=""><a class="moz-txt-link-freetext" href="http://lists.openafs.org/pipermail/openafs-info/2008-December/030552.html">http://lists.openafs.org/pipermail/openafs-info/2008-December/030552.html</a>
which says that I have to create a keyfile with des-cbc-crc:v4 salt, after
some struggle with IPA I finally created the keyfile with des-cbc-crc:v4.
It did not help, I still get the same error.
=====
[root@smb1 ~]# bos status smb1
Instance buserver, currently running normally.
Instance ptserver, currently running normally.
Instance vlserver, currently running normally.
Instance dafs, currently running normally.
Auxiliary status is: file server running.
Instance upserver, currently running normally.
[root@smb1 ~]# kinit admin
[root@smb1 ~]# aklog -d
Authenticating to cell openafs.sri.utoronto.ca (server smb1.sri.utoronto.ca).
Trying to authenticate to user's realm SRI.UTORONTO.CA.
Getting tickets: <a class="moz-txt-link-abbreviated" href="mailto:afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA">afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA</a>
Using Kerberos V5 ticket natively
About to resolve name admin to id in cell openafs.sri.utoronto.ca.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 @ openafs.sri.utoronto.ca
[root@smb1 ~]# klist -e
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</a>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:admin@SRI.UTORONTO.CA">admin@SRI.UTORONTO.CA</a>
Valid starting Expires Service principal
07/12/12 10:56:17 07/13/12 10:56:10 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/SRI.UTORONTO.CA@SRI.UTORONTO.CA">krbtgt/SRI.UTORONTO.CA@SRI.UTORONTO.CA</a>
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
07/12/12 10:56:29 07/13/12 10:56:10 <a class="moz-txt-link-abbreviated" href="mailto:afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA">afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA</a>
Etype (skey, tkt): des-cbc-crc, des-cbc-crc
[root@smb1 ~]# fs setacl /afs system:anyuser rl
fs: You don't have the required access rights on '/afs'
=====
All logs seem OK except this:
[root@smb1 ~]# cat /usr/afs/logs/FileLog
Wed Jul 11 15:45:27 2012 File server starting (/usr/afs/bin/dafileserver)
<font color="#ff0000">Wed Jul 11 15:45:27 2012 afs_krb_get_lrealm failed, using openafs.sri.utoronto.ca.
Wed Jul 11 15:45:30 2012 VL_RegisterAddrs rpc failed; will retry periodically (code=5376, err=0)
</font>Wed Jul 11 15:45:30 2012 VLRU: starting scanner with the following configuration parameters:
Wed Jul 11 15:45:30 2012 VLRU: offlining volumes after minimum of 7200 seconds of inactivity
Wed Jul 11 15:45:30 2012 VLRU: running VLRU soft detach pass every 120 seconds
Wed Jul 11 15:45:30 2012 VLRU: taking up to 8 volumes offline per pass
Wed Jul 11 15:45:30 2012 VLRU: scanning generation 0 for inactive volumes every 900 seconds
Wed Jul 11 15:45:30 2012 VLRU: scanning for promotion/demotion between generations 0 and 1 every 14400 seconds
Wed Jul 11 15:45:30 2012 VLRU: scanning for promotion/demotion between generations 1 and 2 every 28800 seconds
Wed Jul 11 15:45:30 2012 Set thread id 3 for FSYNC_sync
Wed Jul 11 15:45:30 2012 VInitVolumePackage: beginning parallel fileserver startup
Wed Jul 11 15:45:30 2012 VInitVolumePackage: using 1 threads to pre-attach volumes on 1 partitions
Wed Jul 11 15:45:30 2012 Scanning partitions on thread 1 of 1
Wed Jul 11 15:45:30 2012 Partition /vicepa: pre-attaching volumes
Wed Jul 11 15:45:30 2012 Partition scan thread 1 of 1 ended
Wed Jul 11 15:45:30 2012 fs_stateRestore: commencing fileserver state restore
Wed Jul 11 15:45:30 2012 fs_stateRestore: host table restored
Wed Jul 11 15:45:30 2012 fs_stateRestore: FileEntry and CallBack tables restored
Wed Jul 11 15:45:30 2012 fs_stateRestore: host table indices remapped
Wed Jul 11 15:45:30 2012 fs_stateRestore: FileEntry and CallBack indices remapped
Wed Jul 11 15:45:30 2012 fs_stateRestore: restore phase complete
Wed Jul 11 15:45:30 2012 fs_stateRestore: beginning state verification phase
Wed Jul 11 15:45:30 2012 fs_stateRestore: fileserver state verification complete
Wed Jul 11 15:45:30 2012 fs_stateRestore: restore was successful
Wed Jul 11 15:45:30 2012 Getting FileServer name...
Wed Jul 11 15:45:30 2012 FileServer host name is 'smb1.sri.utoronto.ca'
Wed Jul 11 15:45:30 2012 Getting FileServer address...
Wed Jul 11 15:45:30 2012 Set thread id 0000000000000010 for 'HostCheckLWP'
Wed Jul 11 15:45:30 2012 FileServer smb1.sri.utoronto.ca has address x.x.x.x
Wed Jul 11 15:45:30 2012 File Server started Wed Jul 11 15:45:30 2012
Wed Jul 11 15:45:30 2012 Set thread id 000000000000000B for 'FiveMinuteCheckLWP'
Wed Jul 11 15:45:30 2012 Set thread id 000000000000000C for 'FsyncCheckLWP'
</pre>
Thanks,<br>
<br>
Qing<br>
<br>
</body>
</html>
--------------020309040106010205050806--