[OpenAFS] Debian - openafs -noauth problems
Fri, 12 Aug 2005 10:47:00 -0400
On Wednesday 10 August 2005 1:53 pm, Sergio Gelato wrote:
> * Frank Burkhardt [2005-08-10 10:51:38 +0200]:
> > On Tue, Aug 09, 2005 at 10:01:01PM -0400, Madhusudan Singh wrote:
> > > I was wondering if I could ask a few questions regarding AFS setup on
> > > Debian. I am trying to follow the instructions
> > > http://www.gentoo.org/doc/en/openafs.xml?style=printable
> Why not follow the /usr/sbin/afs-newcell script that comes with Debian's
> openafs-dbserver package? It's rumoured to have some problems, but they
> are worth reporting. (See below.)
I am trying to get a feel of how the whole thing works, so I would like to get
a working configuration by hand first. .
> > > in a Cell A, Realm B type setup.
> Good, I wanted to practice doing just that, so I've just been playing
> with this.
Thank goodness. Finally, someone who is at least looking to do that.
> One aspect that I found to be insufficiently documented is the need to
> write your realm name in /etc/openafs/server/krb.conf . It's been
Isn't krb.conf supposed to be present in /etc instead (I have it present
there, and authentication seems to be "working" (read on)) ?
> mentioned before on this mailing list, but seems to be missing from
> both Debian's and Gentoo's instructions, presumably because it's only
> needed when your cell name doesn't match your realm name.
I promise to write a thorough howto for people in this situation when I get
the server up and running. I beleive I am close to getting this working. Let
me first bring you all up to date :
To get past this setcellname problem, I had to shut down openafs-fileserver.
Then start it with -noauth. That fixed it.
I tried to follow instructions at :
While the document does presumably work for realm=cell setups, I learnt the
hard way that the name of the admin user needed to be someone who was
actually present in the realm. In hindsight, a fairly stupid error, but then
anyways, this is another thing that is not documented and can throw a newbie
(at server setup) like me.
After that, I followed along most of the document until it was time to get the
Kerberos tickets, and the authentication choked. Until a friend pointed out
that it was probably my firewall. I dropped it for a while (not recommended)
and presto, the authentication for user zzz worked and I had tickets (klist).
Then aklog worked. I then reestablished the firewall and opened TCP and UDP
ports 88, 749, 750, and 751. Now kinit worked but aklog did not. That is
where it stands from an authentication standpoint right now. Any idea which
ports need to be open for aklog ?
The next step was to set access rights on /vicepa. The instructions available
on the last page of http://www.scode.org/afs/openafs-install.txt are a
little confusing here. They suggest the following :
# fs setacl /afs system:anyuser rl
Now /afs is located on /, not /vicepa (Debian install set /afs up that way).
Since /afs is not located in root.afs on /vicepa, why would I even want to or
be able to grant access rights to that (speaking as an afs administrator).
But if memory serves me right, the server partitions are usually mounted
under /afs. So, do I set a soft link ? Like ln -s /vicepa /afs ?
Sure enough the above command leads to the following error :
fs: You don't have the required access rights on '/afs'
I can't even list it :
omega# cd afs
-bash: cd: afs: Permission denied
omega:/# ls /afs/
ls: /afs/: Permission denied
I am logged in as root with zzz's kerberos credentials (that ought to be
the combination with the highest access privileges on this new system). What
do you think is going on ?
omega:/# ls -ltr / | grep "afs"
drwxrwxrwx 2 root root 2048 2005-08-10 11:11 afs
uid=0(root) gid=0(root) groups=0(root)
omega:/# ls -ltr /afs
ls: /afs: Permission denied
PS : How about creating an openafscellnotequaltokerberosrealm wiki on