[OpenAFS] Debian - openafs -noauth problems

[Madhusudan Singh]

Hi

On Wednesday 10 August 2005 1:53 pm, Sergio Gelato wrote:
> * Frank Burkhardt [2005-08-10 10:51:38 +0200]:
> > On Tue, Aug 09, 2005 at 10:01:01PM -0400, Madhusudan Singh wrote:
> > > 	I was wondering if I could ask a few questions regarding AFS setup on
> > > Debian. I am trying to follow the instructions
> > > http://www.gentoo.org/doc/en/openafs.xml?style=printable
>
> Why not follow the /usr/sbin/afs-newcell script that comes with Debian's
> openafs-dbserver package? It's rumoured to have some problems, but they
> are worth reporting. (See below.)
>

I am trying to get a feel of how the whole thing works, so I would like to get 
a working configuration by hand first. .

> > > in a Cell A, Realm B type setup.
>
> Good, I wanted to practice doing just that, so I've just been playing
> with this.

Thank goodness. Finally, someone who is at least looking to do that.

>
> One aspect that I found to be insufficiently documented is the need to
> write your realm name in /etc/openafs/server/krb.conf . It's been

Isn't krb.conf supposed to be present in /etc instead (I have it present 
there, and authentication seems to be "working" (read on)) ?

> mentioned before on this mailing list, but seems to be missing from
> both Debian's and Gentoo's instructions, presumably because it's only
> needed when your cell name doesn't match your realm name.
>

I promise to write a thorough howto for people in this situation when I get 
the server up and running. I beleive I am close to getting this working. Let 
me first bring you all up to date :

To get past this setcellname problem, I had to shut down openafs-fileserver. 
Then start it with -noauth. That fixed it.

I tried to follow instructions at :

 http://www.scode.org/afs/openafs-install.txt

While the document does presumably work for realm=cell setups, I learnt the 
hard way that the name of the admin user needed to be someone who was 
actually present in the realm. In hindsight, a fairly stupid error, but then 
anyways, this is another thing that is not documented and can throw a newbie 
(at server setup) like me.

After that, I followed along most of the document until it was time to get the 
Kerberos tickets, and the authentication choked. Until a friend pointed out 
that it was probably my firewall. I dropped it for a while (not recommended) 
and presto, the authentication for user zzz worked and I had tickets (klist). 
Then aklog worked. I then reestablished the firewall and opened TCP and UDP 
ports 88, 749, 750, and 751. Now kinit worked but aklog did not. That is 
where it stands from an authentication standpoint right now. Any idea which 
ports need to be open for aklog ?

The next step was to set access rights on /vicepa. The instructions available 
on the last page of http://www.scode.org/afs/openafs-install.txt are a 
little confusing here. They suggest the following :

# fs setacl /afs system:anyuser rl

Now /afs is located on /, not /vicepa (Debian install set /afs up that way). 
Since /afs is not located in root.afs on /vicepa, why would I even want to or 
be able to grant access rights to that (speaking as an afs administrator). 
But if memory serves me right, the server partitions are usually mounted 
under /afs. So, do I set a soft link ? Like ln -s /vicepa /afs ?

Sure enough the above command leads to the following error :

fs: You don't have the required access rights on '/afs'

I can't even list it :

omega# cd afs
-bash: cd: afs: Permission denied

omega:/# ls /afs/
ls: /afs/: Permission denied

I am logged in as root with zzz's kerberos credentials (that ought to be 
the combination with the highest access privileges on this new system). What 
do you think is going on ?

omega:/# ls -ltr / | grep "afs"
drwxrwxrwx    2 root root   2048 2005-08-10 11:11 afs

omega:/# id
uid=0(root) gid=0(root) groups=0(root)

omega:/# ls -ltr /afs
ls: /afs: Permission denied

Thanks.

PS : How about creating an openafscellnotequaltokerberosrealm wiki on 
Wikipedia ?