[OpenAFS] afsd dead / weird config

Peter Schuller peter.schuller@infidyne.com
Tue, 18 Feb 2003 00:16:44 +0100 

--xB0nW4MQa6jZONgY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,

> hm, if i disable afsd, i don't need the openafs.o module, right?

Correct, but afsd (the AFS client) is needed to complete setting up the
server. Plus, it's always handy to be able to access the AFS server from
the same host... Some things work anyway (such as bos), but others do
not (such as vos, at least not all of it).

> >http://www.scode.org/afs/openafs-install.txt
>=20
> this reading was really great, with great comments the article on
> debianplanet did not have. i have to say that i'm using
> heimdal-kerberos, so krb5_newrealm is not available; i think this only

Ok. I haven't used it myself.

> gereates a krb5.conf, right? may i post my krb5.conf, just for re-checkin=
g:

According to the manpage:

       This  script attempts to create a Kerberos realm.  It assumes
       that none of the realm components exists.  It creates the database
       and  populates /etc/krb5kdc/kadm5.keytab which contains keys
       necessary for akdmind to run.
		=09
IIRC, krb5.conf got created by the debian install scripts. I don't think
I needed to modify it afterwards. Hopefully not, since that would mean
my mini-guide is broken.
		=09
> ------/etc/krb5.conf----
> [libdefaults]
>         default_realm =3D HOUSECAFE.DE
>=20
> [realms]
> HOUSECAFE.DE =3D {
>         kdc =3D kdc.housecafe.de
>         admin_server =3D kdc.housecafe.de  }
>=20
> [domain_realm]
>         .housecafe.de =3D HOUSECAFE.DE
>         housecafe.de =3D HOUSECAFE.DE
> ------

Seems to be about the same as mine, though mine doesn't contain the
entries in [domain_realm]. On other hosts I've added those, but
apparantly it works without them (I'm assuming it's some kind of
default).

> there is a /var/lib/heimdal-kdc/kdc.conf also, containg some kdc
> parameters, i think this file is set up right.

Probably. Can't help you there I'm afraid.

> ok, now things got interesting. bosserver is running with -noauth,
> behaving as mentioned in your howto:
> --------
> root@sheep:~# bos listhosts kdc -noauth
> Cell name is housecafe.de
> --------

Right. I still don't know why this occurs. But I haven't bothered
investigating further since it tends to sort itself out by the time
everything's up and running.

> yes, "kdc" or "kdc.housecafe.de" is a CNAME to sheep.housecafe.de. it
> resolves in /etc/hosts as well as via DNS.

Hmm. I think the important part is that the hostname must resolv to an
ip address which must resolv to an identical hostname.

I'm not saying it won't work, but it MIGHT be that if kdc is a CNAME and
the IP-address reverse-resolves to sheep, it won't work. Or perhaps
kerberos is intelligent about CNAMEs. Or perhaps Heimdal doesn't have
the same requirements. Dunno.

> cool, but "pts createuser" fails, saying
>=20
> root@sheep:~# pts createuser -name root -cell housecafe.de -noauth
> pts: no servers appear to be up ; unable to create user root
> ------
>=20
> you mentioned this too in your howto. but Ptlog is empty, i have only

Actually my problem was that the command hanged. It just sat there. As
far as I can recall.

> this message on my console. the error would be DNS related, but it is
> not, i guess. as i said, "kdc" resolves perfectly to an ip-number.
> "hostname" gives "sheep" as output, but i also used this name and even
> as FQDN in every step. the ptserver instance is definitively running:
>=20
> root@sheep:~# bos status kdc -long -noauth
> Instance ptserver, (type is simple) currently running normally.
>     Process last started at Mon Feb 17 00:38:47 2003 (1 proc starts)
>     Command 1 is '/usr/lib/openafs/ptserver'
> ----
>=20
> ptserver shows up in "ps aux" too.
>=20
> now i'm stuck again.
> i tried to use the -force option, but this only went well for the
> "createuser" process (ignored errors), "adduser" was not working.

Hmmmmm. I honestly don't know what this might be all about. As far as I
know though, it doesn't involve kerberos in anyway. But I may be wrong.
But my understanding is that the kerberos ticket basically just enables
the afs client apps to create an afs ticket; I don't think kerberos is
involved in any way when performing pts commands. But again, I may be
wrong.

Anyone else got a clue? :)

> the debianplanet article did not mention this at all, other manuals are
> only adding principals, setting keytab.files, and going on to mounting
> afs volumes. i'm still a bit confused about these different approaches,
> but the more i do, the more i seem to understand :-)

Heh, that's kind of what it was like for me. There was lots of docs that
were each "kind of" right, but not quite. After lots of reading
difference souces, and in particular the debian planet article, I was
finally able to get it up and running.

> you gave me great help with your debian related howto. sure, a
> generalized manual should also do. nevertheless i think i will alter
> your howto (i you don't mind) for heimdal-krb5 users, once i got this
> done here.

Sure. We should try to do this the smart way though. Rather than fork it
off, incorporate it. Then I'll have to convert it to some better format.

After all the trouble I had I figure I should try to help create some
good docs for future newbies. So if we can add heimdal info to the
mini-howto, that's a good step in the right direction of making it more
generalized.

--=20
/ Peter Schuller, InfiDyne Technologies HB

PGP userID: 0xE9758B7D or 'Peter Schuller <peter.schuller@infidyne.com>'
Key retrival: Send an E-Mail to getpgpkey@scode.org
E-Mail: peter.schuller@infidyne.com Web: http://www.scode.org


--xB0nW4MQa6jZONgY
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+UW1bwF8nUVWEvZgRAn2JAJ9zGMDCDGEpm7spMPycJ8Pstr6Y0ACeIBLv
Bk86m0tJhCNKm7ARfM5eQSA=
=tEdF
-----END PGP SIGNATURE-----

--xB0nW4MQa6jZONgY--