[OpenAFS] Help setting up openafs on debian bookworm
Jose M Calhariz
jose.calhariz@tecnico.ulisboa.pt
Tue, 4 Jun 2024 15:24:45 +0100
--H9wOr6Pn/i0HbO0k
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
as a maintainer of a OpenAFS cell on Debian, I have been seting up
OpenAFS cells, just for tests, from scratch on Debian until V11. I
follow the documentation inside the package and it works for me. If I
am not mistaken you need 1 VM for kerberos server and another VM for
the first AFSDB/Fileserver. For a cell that needs to run more than
some days, I use 3 AFSDB and 2 File servers and 1 Kerberos master and
1 Kerberos slave.
As it seams you have problems setting up a real cell, I recommend to
setup a dummy cell just for learning. OpenAFS is nice after you know
how to deal with it, until then is a beast that can easily bite you.
Kind regards
Jose M Calhariz
On Sun, Jun 02, 2024 at 12:18:54PM -0400, Ernesto Alfonso wrote:
> Dirk Heinrichs:
>=20
> Because you deleted the wrong key. The AFS principal should be named
> "afs/<domain>@<REALM>". Just follow the instructions in
> https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generati=
ng
> the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> "/etc/openafs/server", which is used on Debian/Ubuntu, and you should=
be
> all set.
>=20
> Thanks. According to the afs-newcell script requirements banner, it would
> be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the
> principal.
>=20
> If your cell's name is the same as your Kerberos realm then create a
> principal called afs.
> Otherwise, create a principal called afs/cellname in your realm
>=20
> I must admit that it is hard to know which guides to follow. I'm aware of
> docs.openafs.org, but since I'm on debian I was looking for something more
> debian-specific. Most guides and even some commands inside openafs, help
> strings, docs are somewhat outdated with respect to the use of DES keys.
>=20
> For example, the afs-newcell says:
>=20
> 2) You need to create the single-DES AFS key and load it into
> /etc/openafs/server/KeyFile. ... You can use asetkey from the
> openafs-krb5 package, or
> if you used AFS3 salt to create the key, the bos addkey command.
>=20
> Also, I have learned that `bos listkeys` will only list DES keys, which w=
as
> confusing.
>=20
> If I try to follow docs.openafs.org it is not clear which parts are cover=
ed
> by afs-newcell, afs-rootvol, etc and should be skipped. I also appreciate
> having a simple script to run when setting up a new AFS cell, so I would
> like to stick with debian packaging and scripts if possible.
>=20
> I was able to run the afs-newcell script, I only had to modify my
> /etc/hosts to add my FQDN as an alias for 127.0.0.1.
>=20
> However, running `afs-rootvol` fails:
>=20
> =E2=96=88[asus][~][0]$ sudo kinit root/admin
> Password for root/admin@ASUS.ERJOALGO.COM:
> =E2=96=88[asus][~][25]$ sudo aklog -d
> Authenticating to cell asus.erjoalgo.com (server asus.erjoalgo.com).
> Trying to authenticate to user's realm ASUS.ERJOALGO.COM.
> Getting tickets: afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM
> We've deduced that we need to authenticate to realm ASUS.ERJOALGO.COM.
> Getting tickets: afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM
> Getting tickets: afs@ASUS.ERJOALGO.COM
> Using Kerberos V5 ticket natively
> About to resolve name root.admin to id in cell asus.erjoalgo.com.
> Id 1
> Setting tokens. root.admin @ asus.erjoalgo.com
> =E2=96=88[asus][~][16]$ sudo afs-rootvol --requirements-met --server
> asus.erjoalgo.com
> What partition? [a]
>=20
> vos create asus.erjoalgo.com a root.cell -localauth
> Volume 536870915 created on partition /vicepa of asus.erjoalgo.com
> fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw
> fs: You don't have the required access rights on '/afs/
> asus.erjoalgo.com/.root.afs'
> Failed: 256
>=20
> Root volume setup failed, ABORTING
> vos remove asus.erjoalgo.com a root.cell -localauth
> Volume 536870915 on partition /vicepa server asus deleted
> =E2=96=88[asus][~][0]$ sudo kinit root/admin
> Password for root/admin@ASUS.ERJOALGO.COM:
> =E2=96=88[asus][~][130]$ sudo aklog
> =E2=96=88[asus][~][4]$ sudo afs-rootvol --requirements-met --server
> asus.erjoalgo.com --partition=3Da
>=20
> vos create asus.erjoalgo.com a root.cell -localauth
> Volume 536870918 created on partition /vicepa of asus.erjoalgo.com
> fs sa /afs system:anyuser rl
> fs:'/afs': Connection timed out
> Failed: 256
>=20
> Root volume setup failed, ABORTING
> vos remove asus.erjoalgo.com a root.cell -localauth
> Volume 536870918 on partition /vicepa server asus deleted
> =E2=96=88[asus][~][0]$ ls /afs
>=20
>=20
> I don't understand what this means:
>=20
> fs: You don't have the required access rights on '/afs/
> asus.erjoalgo.com/.root.afs'
>=20
> sudo klist shows that the default principal is the root/admin principal
> specified earlier when running afs-newcell:
>=20
> =E2=96=88[asus][~][130]$ sudo klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root/admin@ASUS.ERJOALGO.COM
>=20
> Valid starting Expires Service principal
> 06/02/2024 11:43:36 06/02/2024 21:43:36 krbtgt/
> ASUS.ERJOALGO.COM@ASUS.ERJOALGO.COM
> 06/02/2024 11:44:32 06/02/2024 21:43:36 afs@ASUS.ERJOALGO.COM
> =E2=96=88[asus][~][0]$
>=20
> I also don't understand the connection-timed out:
>=20
> fs:'/afs': Connection timed out
>=20
> I found the error in this post:
>=20
> https://www.cs.cmu.edu/afs/gco/archive/pipermail/openafs-info/2003-Octobe=
r/011026.html
>=20
> But I'm not sure I understand the suggested solution that references
> bringing up a cache manager. I don't really understand what is going on.
> Perhaps it would be better to try to set things up step by step and avoid
> the debian scripts.
>=20
> Ernesto
>=20
> On Sun, Jun 2, 2024 at 9:12=E2=80=AFAM Dirk Heinrichs <dirk.heinrichs@alt=
um.de>
> wrote:
>=20
> > Ernesto Alfonso:
> >
> > > Now my problem is still understanding why `bos listkeys` now succeeds
> > > but returns an empty set when asetkey does list 4 keys.
> >
> > Because you deleted the wrong key. The AFS principal should be named
> > "afs/<domain>@<REALM>". Just follow the instructions in
> > https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating
> > the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> > "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be
> > all set.
> >
> > Also note that if you setup multiple servers, you only need to do the
> > kadmin part once, and copy the resulting rxkad.keytab (and probably
> > KeyFileExt) to all servers, since the kvno needs to be the same on all
> > servers, but exporting the key increases it.
> >
> > HTH...
> >
> > Dirk
> >
> >
> >
--=20
--
Lembre-se de que um bom exemplo e o melhor sermao
-- H. Jackson Brown Jr.
--H9wOr6Pn/i0HbO0k
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEERkvHzUOf7l6LQJigNIp3jWiF748FAmZfI6MACgkQNIp3jWiF
74946A/+KHZX5JDVyEHLA/QnITKzFlRuMjXYbhf4NEQ7crLvP6Q68nZDq8J6Q8Z/
V3aK5pefk/f+E6wBvBIQRFrQPM9Y32Zfwg4s5pv1XPaQ/ZRb1/TUQZKhaRwRsFWd
sKkoERcKd1KmhaC97W4POHqyamrHO3q7deJZ73/4ojQFc9IK/HSE1RxlaU8SLvY9
AiuxrTRhf+IVUJOUAIuBueeIu2rk9ju27VsMHVGpgYCyGs7rljhSN5wm+g/n+p+7
mcIvLsj7+QSMUEeYoL3yzSTAHG8cNHU1GwHqsPkCgNGhWp+EWrvC97KYIimmdYBX
DHJqjfG0n9YNbqExxHlfPTesxcJF/mXDCU5wqOnJoPUn2Ty5k9KTfPeMawyG6E/X
e7gUGbprg4h830piGxkH4rD0ANRulveQLscNm4iaorx/6NCBfejzJNms9Je989Pt
gujY4GudXlQO/zFWYGSUDwCkm/uojxxWR2vYTKBV99LFxCDJx38riq02bF79yl88
RmDc717nbIQtLdJ4Y2svBGCgMnsC4BK1/xt4e7N8c0uwd9LUk/4qc0zdoKtGW/9K
jcgu9KQHwrcaF22d5uk0Jbyz5tqkWQQhV0qSnEURwXTbkDOxSe2QzJJVA6gCBrX2
bPoGj3PpUyjtbT7gv69vHX8kQPyjv/KTmKLaU3pzphuq7fM47mk=
=d+xE
-----END PGP SIGNATURE-----
--H9wOr6Pn/i0HbO0k--