[OpenAFS] AFS and MIT Kerberos 5 (RedHat 8.0, RPMS from openafs.org)

Mikkel Kruse Johnsen mkj.its@cbs.dk
Thu, 13 Mar 2003 09:41:25 +0100


--Boundary_(ID_BptUFCUIuwOMHUWWkNb85Q)
Content-type: text/plain
Content-transfer-encoding: 7BIT

Hi All

I have been trying to set up AFS using Kerberos 5 as auth server. I have
AFS running but have a few issues:

1)
I have created a user in the kerberos database called afs@CBS.DK which
and I have installed AFS with that key using asetkey (with the right
kvno number). I have created it with "des-cbc-crc:afs3" but what is
"afs3" good for ? Should I use "des-cbc-crc:v4" instead ?

2)
Also when trying to get the AFS ticket from a client I do: "kinit" to
get the users krbtgt then I do "aklog -d" and I get:

Authenticating to cell cbs.dk (server afs-1.cbs.dk).
We've deduced that we need to authenticate to realm CBS.DK.
Getting tickets: afs/cbs.dk@CBS.DK
Kerberos error code returned by get_cred: -1765328228
aklog: Couldn't get cbs.dk AFS tickets:
aklog: Cannot contact any KDC for requested realm while getting AFS
tickets

Should I have created the afs ticket in kerberos as "afs/cbs.dk@CBS.DK"
instead ?

3)
Also I haven't trouble creating the rights on the /afs filesystem (Maybe
this is all due to me not getting the AFS ticket). When doing: 

    fs checkvolumes 
    fs Input/Output error" 

when trying to set user rights 
    
    fs setacl /afs system:anyuser rl
    fs: Invalid argument; it is possible that /afs is not in AFS.

Is this because I don't have the AFS token (doing aklog). Or should I
add the /afs to AFS somehow. I can see that the openafs-client package
create the /afs and chmod 755 on it. Is that all or should it be added
somehow ?

4)
Another question about my setup if any comments.

I trying to set up a cluster for my web servers. I don't want to by a
lot of expensive hardware so I'm trying to use low or mid size computers
for the setup. I was thinking of using to load balancers (with failover)
to balance load between my front end servers. The frontend servers is
just some pizza size computers. These computers have to get the HTML
files from a fileserver but I don't want the fileserver to be one point
of failure, so some kind of distributed file system must be used (or a
SAN backend, but they are so expensive). My question is: 

    Is AFS the right distributed file system for the job ?

Many on the net talks about CODA (but from what I understand it is a
branch of the AFS filesystem) or should I go for SAN or CODA ?

---

Hope to get some input, thanks.

Bye

-- 
Mikkel Kruse Johnsen <mkj.its@cbs.dk>
ITS

--Boundary_(ID_BptUFCUIuwOMHUWWkNb85Q)
Content-type: text/html; charset=utf-8
Content-transfer-encoding: 7BIT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/1.1.8">
</HEAD>
<BODY>
Hi All<BR>
<BR>
I have been trying to set up AFS using Kerberos 5 as auth server. I have AFS running but have a few issues:<BR>
<BR>
1)<BR>
I have created a user in the kerberos database called <A HREF="mailto:afs@CBS.DK">afs@CBS.DK</A> which and I have installed AFS with that key using asetkey (with the right kvno number). I have created it with &quot;des-cbc-crc:afs3&quot; but what is &quot;afs3&quot; good for ? Should I use &quot;des-cbc-crc:v4&quot; instead ?<BR>
<BR>
2)<BR>
Also when trying to get the AFS ticket from a client I do: &quot;kinit&quot; to get the users krbtgt then I do &quot;aklog -d&quot; and I get:<BR>
<BR>
Authenticating to cell cbs.dk (server afs-1.cbs.dk).<BR>
We've deduced that we need to authenticate to realm CBS.DK.<BR>
Getting tickets: afs/<A HREF="mailto:cbs.dk@CBS.DK">cbs.dk@CBS.DK</A><BR>
Kerberos error code returned by get_cred: -1765328228<BR>
aklog: Couldn't get cbs.dk AFS tickets:<BR>
aklog: Cannot contact any KDC for requested realm while getting AFS tickets<BR>
<BR>
Should I have created the afs ticket in kerberos as &quot;afs/<A HREF="mailto:cbs.dk@CBS.DK">cbs.dk@CBS.DK</A>&quot; instead ?<BR>
<BR>
3)<BR>
Also I haven't trouble creating the rights on the /afs filesystem (Maybe this is all due to me not getting the AFS ticket). When doing: <BR>
<BR>
&nbsp;&nbsp;&nbsp; fs checkvolumes <BR>
&nbsp;&nbsp;&nbsp; fs Input/Output error&quot; <BR>
<BR>
when trying to set user rights <BR>
&nbsp;&nbsp;&nbsp; <BR>
&nbsp;&nbsp;&nbsp; fs setacl /afs system:anyuser rl<BR>
&nbsp;&nbsp;&nbsp; fs: Invalid argument; it is possible that /afs is not in AFS.<BR>
<BR>
Is this because I don't have the AFS token (doing aklog). Or should I add the /afs to AFS somehow. I can see that the openafs-client package create the /afs and chmod 755 on it. Is that all or should it be added somehow ?<BR>
<BR>
4)<BR>
Another question about my setup if any comments.<BR>
<BR>
I trying to set up a cluster for my web servers. I don't want to by a lot of expensive hardware so I'm trying to use low or mid size computers for the setup. I was thinking of using to load balancers (with failover) to balance load between my front end servers. The frontend servers is just some pizza size computers. These computers have to get the HTML files from a fileserver but I don't want the fileserver to be one point of failure, so some kind of distributed file system must be used (or a SAN backend, but they are so expensive). My question is: <BR>
<BR>
&nbsp;&nbsp;&nbsp; Is AFS the right distributed file system for the job ?<BR>
<BR>
Many on the net talks about CODA (but from what I understand it is a branch of the AFS filesystem) or should I go for SAN or CODA ?<BR>
<BR>
---<BR>
<BR>
Hope to get some input, thanks.<BR>
<BR>
Bye<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
-- <BR>
Mikkel Kruse Johnsen &lt;<A HREF="mailto:mkj.its@cbs.dk">mkj.its@cbs.dk</A>&gt;<BR>
ITS
</TD>
</TR>
</TABLE>

</BODY>
</HTML>

--Boundary_(ID_BptUFCUIuwOMHUWWkNb85Q)--