[OpenAFS] Re: IPA + OpenAFS
Qing Chang
qchang@sri.utoronto.ca
Thu, 12 Jul 2012 15:45:57 -0400
This is a multi-part message in MIME format.
--------------070305010100010103010403
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
On 12/07/2012 3:35 PM, Andrew Deason wrote:
> On Thu, 12 Jul 2012 11:16:55 -0400
> Qing Chang<qchang@sri.utoronto.ca> wrote:
>
>> As recommended, you should create an AFS service principal as
>> afs/DOMAIN@REALM, eg, afs/sri.utoronto.ca. IPA does not allow a
>> service principal to be created if there is no corresponding host
>> principal. Hence, I have to have this: afs/openafs.sri.utoronto.ca,
>> where openafs.sri.utoronto.ca is the FQDN of the server. OpenAFS seems
>> to be happy with this,
> I forgot to mention... if it wasn't clear, this means that your cell
> name will be openafs.sri.utoronto.ca, not sri.utoronto.ca. That's not a
> problem if you're okay with that, but it may look a little funny; it's
> like having an email address like<qchang@sendmail.sri.utoronto.ca>. It
> also may be a little confusing, since if you ever have more than one
> server for the cell, afs/openafs.sri.utoronto.ca will be used by several
> servers with different FQDNs, not just openafs.sri.
>
> I haven't used IPA, but I assume you could create a host principal for
> sri.utoronto.ca and then just not use it, to get around that
> restriction. But that's not required.
>
thank you very much Andrew, at least I know I am not fighting 2 battles at once.
I was thinking of doing just that but settled on creating a CNAME as openafs for
the host smb1 that is also a test Samba server. I hope this is not causing the error
message in /usr/afs/logs/FileLog:
Wed Jul 11 15:45:27 2012 afs_krb_get_lrealm failed, using openafs.sri.utoronto.ca.
I'll do that when this moves to production...
Qing
--------------070305010100010103010403
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
On 12/07/2012 3:35 PM, Andrew Deason wrote:
<blockquote
cite="mid:20120712143503.f09e4225.adeason@sinenomine.net"
type="cite">
<pre wrap="">On Thu, 12 Jul 2012 11:16:55 -0400
Qing Chang <a class="moz-txt-link-rfc2396E" href="mailto:qchang@sri.utoronto.ca"><qchang@sri.utoronto.ca></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">As recommended, you should create an AFS service principal as
afs/DOMAIN@REALM, eg, afs/sri.utoronto.ca. IPA does not allow a
service principal to be created if there is no corresponding host
principal. Hence, I have to have this: afs/openafs.sri.utoronto.ca,
where openafs.sri.utoronto.ca is the FQDN of the server. OpenAFS seems
to be happy with this,
</pre>
</blockquote>
<pre wrap="">
I forgot to mention... if it wasn't clear, this means that your cell
name will be openafs.sri.utoronto.ca, not sri.utoronto.ca. That's not a
problem if you're okay with that, but it may look a little funny; it's
like having an email address like <a class="moz-txt-link-rfc2396E" href="mailto:qchang@sendmail.sri.utoronto.ca"><qchang@sendmail.sri.utoronto.ca></a>. It
also may be a little confusing, since if you ever have more than one
server for the cell, afs/openafs.sri.utoronto.ca will be used by several
servers with different FQDNs, not just openafs.sri.
I haven't used IPA, but I assume you could create a host principal for
sri.utoronto.ca and then just not use it, to get around that
restriction. But that's not required.
</pre>
</blockquote>
thank you very much Andrew, at least I know I am not fighting 2
battles at once.<br>
I was thinking of doing just that but settled on creating a CNAME as
openafs for <br>
the host smb1 that is also a test Samba server. I hope this is not
causing the error<br>
message in /usr/afs/logs/FileLog:<br>
<pre wrap=""><font><font color="#ff0000">Wed Jul 11 15:45:27 2012 afs_krb_get_lrealm failed, using openafs.sri.utoronto.ca.
<font color="#000000">
I'll do that when this moves to production...
Qing
</font></font></font></pre>
</body>
</html>
--------------070305010100010103010403--