[OpenAFS] Help setting up openafs on debian bookworm

Ernesto Alfonso erjoalgo@gmail.com
Sun, 2 Jun 2024 12:18:54 -0400


--00000000000061d3f70619ea933e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Dirk Heinrichs:

    Because you deleted the wrong key. The AFS principal should be named
    "afs/<domain>@<REALM>".  Just follow the instructions in
    https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating
    the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
    "/etc/openafs/server", which is used on Debian/Ubuntu, and you should b=
e
    all set.

Thanks. According to the afs-newcell script requirements banner, it would
be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the
principal.

    If your cell's name is the same as your Kerberos realm then create a
principal called afs.
    Otherwise, create a principal called afs/cellname in your realm

I must admit that it is hard to know which guides to follow. I'm aware of
docs.openafs.org, but since I'm on debian I was looking for something more
debian-specific. Most guides and even some commands inside openafs, help
strings, docs are somewhat outdated with respect to the use of DES keys.

For example, the afs-newcell says:

    2) You need to create the single-DES AFS key and load it into
       /etc/openafs/server/KeyFile.  ... You can use asetkey from the
openafs-krb5 package, or
       if you used AFS3 salt to create the key, the bos addkey command.

Also, I have learned that `bos listkeys` will only list DES keys, which was
confusing.

If I try to follow docs.openafs.org it is not clear which parts are covered
by afs-newcell, afs-rootvol, etc and should be skipped. I also appreciate
having a simple script to run when setting up a new AFS cell, so I would
like to stick with debian packaging and scripts if possible.

I was able to run the afs-newcell script, I only had to modify my
/etc/hosts to add my FQDN as an alias for 127.0.0.1.

However, running `afs-rootvol` fails:

    =E2=96=88[asus][~][0]$ sudo kinit root/admin
    Password for root/admin@ASUS.ERJOALGO.COM:
    =E2=96=88[asus][~][25]$ sudo aklog -d
    Authenticating to cell asus.erjoalgo.com (server asus.erjoalgo.com).
    Trying to authenticate to user's realm ASUS.ERJOALGO.COM.
    Getting tickets: afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM
    We've deduced that we need to authenticate to realm ASUS.ERJOALGO.COM.
    Getting tickets: afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM
    Getting tickets: afs@ASUS.ERJOALGO.COM
    Using Kerberos V5 ticket natively
    About to resolve name root.admin to id in cell asus.erjoalgo.com.
    Id 1
    Setting tokens. root.admin @ asus.erjoalgo.com
    =E2=96=88[asus][~][16]$ sudo afs-rootvol --requirements-met --server
asus.erjoalgo.com
    What partition? [a]

    vos create asus.erjoalgo.com a root.cell -localauth
    Volume 536870915 created on partition /vicepa of asus.erjoalgo.com
    fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw
    fs: You don't have the required access rights on '/afs/
asus.erjoalgo.com/.root.afs'
    Failed: 256

    Root volume setup failed, ABORTING
    vos remove asus.erjoalgo.com a root.cell -localauth
    Volume 536870915 on partition /vicepa server asus deleted
    =E2=96=88[asus][~][0]$ sudo kinit root/admin
    Password for root/admin@ASUS.ERJOALGO.COM:
    =E2=96=88[asus][~][130]$ sudo aklog
    =E2=96=88[asus][~][4]$ sudo afs-rootvol --requirements-met --server
asus.erjoalgo.com  --partition=3Da

    vos create asus.erjoalgo.com a root.cell -localauth
    Volume 536870918 created on partition /vicepa of asus.erjoalgo.com
    fs sa /afs system:anyuser rl
    fs:'/afs': Connection timed out
    Failed: 256

    Root volume setup failed, ABORTING
    vos remove asus.erjoalgo.com a root.cell -localauth
    Volume 536870918 on partition /vicepa server asus deleted
    =E2=96=88[asus][~][0]$ ls /afs


I don't understand what this means:

    fs: You don't have the required access rights on '/afs/
asus.erjoalgo.com/.root.afs'

sudo klist shows that the default principal is the root/admin principal
specified earlier when running afs-newcell:

    =E2=96=88[asus][~][130]$ sudo klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: root/admin@ASUS.ERJOALGO.COM

    Valid starting       Expires              Service principal
    06/02/2024 11:43:36  06/02/2024 21:43:36  krbtgt/
ASUS.ERJOALGO.COM@ASUS.ERJOALGO.COM
    06/02/2024 11:44:32  06/02/2024 21:43:36  afs@ASUS.ERJOALGO.COM
    =E2=96=88[asus][~][0]$

I also don't understand the connection-timed out:

      fs:'/afs': Connection timed out

I found the error in this post:

https://www.cs.cmu.edu/afs/gco/archive/pipermail/openafs-info/2003-October/=
011026.html

But I'm not sure I understand the suggested solution that references
bringing up a cache manager. I don't really understand what is going on.
Perhaps it would be better to try to set things up step by step and avoid
the debian scripts.

Ernesto

On Sun, Jun 2, 2024 at 9:12=E2=80=AFAM Dirk Heinrichs <dirk.heinrichs@altum=
.de>
wrote:

> Ernesto Alfonso:
>
> > Now my problem is still understanding why `bos listkeys` now succeeds
> > but returns an empty set when asetkey does list 4 keys.
>
> Because you deleted the wrong key. The AFS principal should be named
> "afs/<domain>@<REALM>".  Just follow the instructions in
> https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating
> the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be
> all set.
>
> Also note that if you setup multiple servers, you only need to do the
> kadmin part once, and copy the resulting rxkad.keytab (and probably
> KeyFileExt) to all servers, since the kvno needs to be the same on all
> servers, but exporting the key increases it.
>
> HTH...
>
>      Dirk
>
> --
> Dirk Heinrichs <dirk.heinrichs@altum.de>
> Matrix-Adresse: @heini:chat.altum.de
> GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
> Privacy Handbuch: https://www.privacy-handbuch.de
>
>

--00000000000061d3f70619ea933e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Dirk Heinrichs:</div><div><br></div><div>=C2=A0 =C2=
=A0 Because you deleted the wrong key. The AFS principal should be named<br=
>=C2=A0 =C2=A0 &quot;afs/&lt;domain&gt;@&lt;REALM&gt;&quot;.=C2=A0 Just fol=
low the instructions in<br>=C2=A0 =C2=A0 <a href=3D"https://docs.openafs.or=
g/QuickStartUnix/HDRWQ50.html">https://docs.openafs.org/QuickStartUnix/HDRW=
Q50.html</a>, under &quot;Generating<br>=C2=A0 =C2=A0 the Cell&#39;s Kerber=
os V5 Keys&quot;, but replace &quot;/usr/afs/etc&quot; with<br>=C2=A0 =C2=
=A0 &quot;/etc/openafs/server&quot;, which is used on Debian/Ubuntu, and yo=
u should be<br>=C2=A0 =C2=A0 all set.<br></div><div><br></div><div>Thanks. =
According to the afs-newcell script requirements banner, it would be=C2=A0a=
cceptable to use `afs` instead of afs/<a href=3D"http://asus.erjoalgo.com">=
asus.erjoalgo.com</a>` as the principal.</div><div><br></div><div><div>=C2=
=A0 =C2=A0 If your cell&#39;s name is the same as your Kerberos realm then =
create a principal called afs.<br>=C2=A0 =C2=A0 Otherwise, create a princip=
al called afs/cellname in your realm<br></div><div></div></div><div><br></d=
iv><div>I must admit that=C2=A0it is hard to know which guides to follow. I=
&#39;m aware of=C2=A0<a href=3D"http://docs.openafs.org">docs.openafs.org</=
a>, but since I&#39;m on debian I was looking for something more debian-spe=
cific. Most guides and even some commands inside openafs, help strings, doc=
s are somewhat outdated with respect to the use of DES keys.</div><div><br>=
</div><div>For example, the afs-newcell says:</div><div><br></div><div>=C2=
=A0 =C2=A0 2) You need to create the single-DES AFS key and load it into<br=
>=C2=A0 =C2=A0 =C2=A0 =C2=A0/etc/openafs/server/KeyFile.=C2=A0 ... You can =
use asetkey from the openafs-krb5 package, or<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0if you used AFS3 salt to create the key, the bos addkey command.<br><br>=
</div><div>Also, I have learned that `bos listkeys` will only list DES keys=
, which was confusing.</div><div><br></div><div>If I try to follow <a href=
=3D"http://docs.openafs.org">docs.openafs.org</a> it is not clear which par=
ts are covered by afs-newcell, afs-rootvol, etc and should be skipped. I al=
so appreciate having a simple script to run when setting up a new AFS cell,=
 so I would like to stick with debian packaging and scripts if possible.</d=
iv><div><br></div><div>I was able to run the afs-newcell script, I only had=
 to modify my /etc/hosts to add my FQDN as an alias for 127.0.0.1.</div><di=
v><br></div><div>However, running `afs-rootvol` fails:</div><div><br></div>=
<div>=C2=A0 =C2=A0 =E2=96=88[asus][~][0]$ sudo kinit root/admin<br>=C2=A0 =
=C2=A0 Password for root/<a href=3D"mailto:admin@ASUS.ERJOALGO.COM">admin@A=
SUS.ERJOALGO.COM</a>:<br>=C2=A0 =C2=A0 =E2=96=88[asus][~][25]$ sudo aklog -=
d<br>=C2=A0 =C2=A0 Authenticating to cell <a href=3D"http://asus.erjoalgo.c=
om">asus.erjoalgo.com</a> (server <a href=3D"http://asus.erjoalgo.com">asus=
.erjoalgo.com</a>).<br>=C2=A0 =C2=A0 Trying to authenticate to user&#39;s r=
ealm <a href=3D"http://ASUS.ERJOALGO.COM">ASUS.ERJOALGO.COM</a>.<br>=C2=A0 =
=C2=A0 Getting tickets: afs/<a href=3D"mailto:asus.erjoalgo.com@ASUS.ERJOAL=
GO.COM">asus.erjoalgo.com@ASUS.ERJOALGO.COM</a><br>=C2=A0 =C2=A0 We&#39;ve =
deduced that we need to authenticate to realm <a href=3D"http://ASUS.ERJOAL=
GO.COM">ASUS.ERJOALGO.COM</a>.<br>=C2=A0 =C2=A0 Getting tickets: afs/<a hre=
f=3D"mailto:asus.erjoalgo.com@ASUS.ERJOALGO.COM">asus.erjoalgo.com@ASUS.ERJ=
OALGO.COM</a><br>=C2=A0 =C2=A0 Getting tickets: <a href=3D"mailto:afs@ASUS.=
ERJOALGO.COM">afs@ASUS.ERJOALGO.COM</a><br>=C2=A0 =C2=A0 Using Kerberos V5 =
ticket natively<br>=C2=A0 =C2=A0 About to resolve name root.admin to id in =
cell <a href=3D"http://asus.erjoalgo.com">asus.erjoalgo.com</a>.<br>=C2=A0 =
=C2=A0 Id 1<br>=C2=A0 =C2=A0 Setting tokens. root.admin @ <a href=3D"http:/=
/asus.erjoalgo.com">asus.erjoalgo.com</a><br>=C2=A0 =C2=A0 =E2=96=88[asus][=
~][16]$ sudo afs-rootvol --requirements-met --server <a href=3D"http://asus=
.erjoalgo.com">asus.erjoalgo.com</a><br>=C2=A0 =C2=A0 What partition? [a]<b=
r>=C2=A0 =C2=A0 <br>=C2=A0 =C2=A0 vos create <a href=3D"http://asus.erjoalg=
o.com">asus.erjoalgo.com</a> a root.cell -localauth<br>=C2=A0 =C2=A0 Volume=
 536870915 created on partition /vicepa of <a href=3D"http://asus.erjoalgo.=
com">asus.erjoalgo.com</a><br>=C2=A0 =C2=A0 fs mkm /afs/<a href=3D"http://a=
sus.erjoalgo.com/.root.afs">asus.erjoalgo.com/.root.afs</a> root.afs -rw<br=
>=C2=A0 =C2=A0 fs: You don&#39;t have the required access rights on &#39;/a=
fs/<a href=3D"http://asus.erjoalgo.com/.root.afs">asus.erjoalgo.com/.root.a=
fs</a>&#39;<br>=C2=A0 =C2=A0 Failed: 256<br>=C2=A0 =C2=A0 <br>=C2=A0 =C2=A0=
 Root volume setup failed, ABORTING<br>=C2=A0 =C2=A0 vos remove <a href=3D"=
http://asus.erjoalgo.com">asus.erjoalgo.com</a> a root.cell -localauth<br>=
=C2=A0 =C2=A0 Volume 536870915 on partition /vicepa server asus deleted<br>=
=C2=A0 =C2=A0 =E2=96=88[asus][~][0]$ sudo kinit root/admin<br>=C2=A0 =C2=A0=
 Password for root/<a href=3D"mailto:admin@ASUS.ERJOALGO.COM">admin@ASUS.ER=
JOALGO.COM</a>:<br>=C2=A0 =C2=A0 =E2=96=88[asus][~][130]$ sudo aklog<br>=C2=
=A0 =C2=A0 =E2=96=88[asus][~][4]$ sudo afs-rootvol --requirements-met --ser=
ver <a href=3D"http://asus.erjoalgo.com">asus.erjoalgo.com</a> =C2=A0--part=
ition=3Da<br>=C2=A0 =C2=A0 <br>=C2=A0 =C2=A0 vos create <a href=3D"http://a=
sus.erjoalgo.com">asus.erjoalgo.com</a> a root.cell -localauth<br>=C2=A0 =
=C2=A0 Volume 536870918 created on partition /vicepa of <a href=3D"http://a=
sus.erjoalgo.com">asus.erjoalgo.com</a><br>=C2=A0 =C2=A0 fs sa /afs system:=
anyuser rl<br>=C2=A0 =C2=A0 fs:&#39;/afs&#39;: Connection timed out<br>=C2=
=A0 =C2=A0 Failed: 256<br>=C2=A0 =C2=A0 <br>=C2=A0 =C2=A0 Root volume setup=
 failed, ABORTING<br>=C2=A0 =C2=A0 vos remove <a href=3D"http://asus.erjoal=
go.com">asus.erjoalgo.com</a> a root.cell -localauth<br>=C2=A0 =C2=A0 Volum=
e 536870918 on partition /vicepa server asus deleted<br>=C2=A0 =C2=A0 =E2=
=96=88[asus][~][0]$ ls /afs<br>=C2=A0 =C2=A0=C2=A0<br></div><div><br></div>=
<div>I don&#39;t understand what this means:</div><div><br></div><div>=C2=
=A0 =C2=A0 fs: You don&#39;t have the required access rights on &#39;/afs/<=
a href=3D"http://asus.erjoalgo.com/.root.afs">asus.erjoalgo.com/.root.afs</=
a>&#39;<br></div><div><br></div><div>sudo klist shows that the default prin=
cipal is the root/admin principal specified earlier when running afs-newcel=
l:</div><div><br></div><div>=C2=A0 =C2=A0 =E2=96=88[asus][~][130]$ sudo kli=
st<br>=C2=A0 =C2=A0 Ticket cache: FILE:/tmp/krb5cc_0<br>=C2=A0 =C2=A0 Defau=
lt principal: root/<a href=3D"mailto:admin@ASUS.ERJOALGO.COM">admin@ASUS.ER=
JOALGO.COM</a><br>=C2=A0 =C2=A0 <br>=C2=A0 =C2=A0 Valid starting =C2=A0 =C2=
=A0 =C2=A0 Expires =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Service =
principal<br>=C2=A0 =C2=A0 06/02/2024 11:43:36 =C2=A006/02/2024 21:43:36 =
=C2=A0krbtgt/<a href=3D"mailto:ASUS.ERJOALGO.COM@ASUS.ERJOALGO.COM">ASUS.ER=
JOALGO.COM@ASUS.ERJOALGO.COM</a><br>=C2=A0 =C2=A0 06/02/2024 11:44:32 =C2=
=A006/02/2024 21:43:36 =C2=A0<a href=3D"mailto:afs@ASUS.ERJOALGO.COM">afs@A=
SUS.ERJOALGO.COM</a><br>=C2=A0 =C2=A0 =E2=96=88[asus][~][0]$<br>=C2=A0 =C2=
=A0=C2=A0<br></div><div>I also don&#39;t understand the connection-timed ou=
t:</div><div><br></div><div>=C2=A0 =C2=A0 =C2=A0 fs:&#39;/afs&#39;: Connect=
ion timed out<br></div><div><br></div><div>I found the error in this post:<=
/div><div><br></div><div><a href=3D"https://www.cs.cmu.edu/afs/gco/archive/=
pipermail/openafs-info/2003-October/011026.html">https://www.cs.cmu.edu/afs=
/gco/archive/pipermail/openafs-info/2003-October/011026.html</a><br></div><=
div><br></div><div>But I&#39;m not sure I understand the suggested solution=
 that references bringing up a cache manager. I don&#39;t really understand=
 what is going on. Perhaps it would be better to try to set things up step =
by step and avoid the debian scripts.</div><div><br></div><div>Ernesto</div=
><div><br></div><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_=
attr">On Sun, Jun 2, 2024 at 9:12=E2=80=AFAM Dirk Heinrichs &lt;<a href=3D"=
mailto:dirk.heinrichs@altum.de">dirk.heinrichs@altum.de</a>&gt; wrote:<br><=
/div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex">Ernesto Alfonso:<br>
<br>
&gt; Now my problem is still understanding why `bos listkeys` now succeeds =
<br>
&gt; but returns an empty set when asetkey does list 4 keys.<br>
<br>
Because you deleted the wrong key. The AFS principal should be named <br>
&quot;afs/&lt;domain&gt;@&lt;REALM&gt;&quot;.=C2=A0 Just follow the instruc=
tions in <br>
<a href=3D"https://docs.openafs.org/QuickStartUnix/HDRWQ50.html" rel=3D"nor=
eferrer" target=3D"_blank">https://docs.openafs.org/QuickStartUnix/HDRWQ50.=
html</a>, under &quot;Generating <br>
the Cell&#39;s Kerberos V5 Keys&quot;, but replace &quot;/usr/afs/etc&quot;=
 with <br>
&quot;/etc/openafs/server&quot;, which is used on Debian/Ubuntu, and you sh=
ould be <br>
all set.<br>
<br>
Also note that if you setup multiple servers, you only need to do the <br>
kadmin part once, and copy the resulting rxkad.keytab (and probably <br>
KeyFileExt) to all servers, since the kvno needs to be the same on all <br>
servers, but exporting the key increases it.<br>
<br>
HTH...<br>
<br>
=C2=A0=C2=A0=C2=A0=C2=A0 Dirk<br>
<br>
-- <br>
Dirk Heinrichs &lt;<a href=3D"mailto:dirk.heinrichs@altum.de" target=3D"_bl=
ank">dirk.heinrichs@altum.de</a>&gt;<br>
Matrix-Adresse: @heini:<a href=3D"http://chat.altum.de" rel=3D"noreferrer" =
target=3D"_blank">chat.altum.de</a><br>
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049<br>
Privacy Handbuch: <a href=3D"https://www.privacy-handbuch.de" rel=3D"norefe=
rrer" target=3D"_blank">https://www.privacy-handbuch.de</a><br>
<br>
</blockquote></div></div>

--00000000000061d3f70619ea933e--