[OpenAFS] Debian - openafs -noauth problems

Sergio Gelato Sergio.Gelato@astro.su.se
Wed, 10 Aug 2005 19:53:33 +0200


* Frank Burkhardt [2005-08-10 10:51:38 +0200]:
> On Tue, Aug 09, 2005 at 10:01:01PM -0400, Madhusudan Singh wrote:
> > 	I was wondering if I could ask a few questions regarding AFS setup on Debian. 
> > I am trying to follow the instructions 
> > http://www.gentoo.org/doc/en/openafs.xml?style=printable

Why not follow the /usr/sbin/afs-newcell script that comes with Debian's
openafs-dbserver package? It's rumoured to have some problems, but they
are worth reporting. (See below.)

> > in a Cell A, Realm B type setup.

Good, I wanted to practice doing just that, so I've just been playing
with this.

One aspect that I found to be insufficiently documented is the need to
write your realm name in /etc/openafs/server/krb.conf . It's been
mentioned before on this mailing list, but seems to be missing from
both Debian's and Gentoo's instructions, presumably because it's only
needed when your cell name doesn't match your realm name.

> > # bos setcellname omega.domain.edu omega.domain.edu -noauth
> > bos: failed to set cell (you are not authorized for this operation)

One feature of Debian's afs-newcell is that it doesn't need to run
bos -noauth at all. Instead, one sets up the KeyFile beforehand and
uses -localauth.

> There is a tool called pt_util for initially creating a PTDB-Database-file without
> any tokens needed (The first space in the 3rd line is important!):

(And afs-newcell obfuscates that space.)

While I'm on the subject, here are the things that went wrong for me
today with the Debian (sarge) scripts:

1. "bos addhost" put my server's IP address between square brackets in
/etc/openafs/server/CellServDB. This caused the server (the only one
in the cell at this point) not to count for quorum, and "vos create ...
root.afs" to fail. Edit the file, remove the brackets, "bos restart",
continue.

2. I'm not 100% sure that this would have been a problem, but as my
afsd starts with -dynroot by default I chose to stop it and restart
it with a static root before running afs-rootvol. 

3. As I said earlier, creation of krb.conf was neither documented nor
handled by the scripts. This caused afs-rootvol to fail until I
corrected the problem.

Apart from this, the procedure documented by afs-newcell and afs-rootvol
worked for me.