[OpenAFS] Debian - openafs -noauth problems

Sergio Gelato Sergio.Gelato@astro.su.se
Fri, 12 Aug 2005 19:00:12 +0200

* Madhusudan Singh [2005-08-12 10:47:00 -0400]:
> > Why not follow the /usr/sbin/afs-newcell script that comes with Debian's
> > openafs-dbserver package? It's rumoured to have some problems, but they
> > are worth reporting. (See below.)
> I am trying to get a feel of how the whole thing works, so I would like to get 
> a working configuration by hand first. .

That's OK, but by "follow" I didn't necessarily mean "run". One can also
read the script as documentation and type in the commands by hand.

> > One aspect that I found to be insufficiently documented is the need to
> > write your realm name in /etc/openafs/server/krb.conf . It's been
> Isn't krb.conf supposed to be present in /etc instead (I have it present 
> there, and authentication seems to be "working" (read on)) ?

Covered in the mailing list archives. If you have an /etc/krb.conf on
your server for other reasons (generic Kerberos 4 support, presumably,
but that's getting out of fashion) and the realm for your cell is the
first one listed in that file, then indeed you don't need a separate 
krb.conf in /etc/openafs/server.

> Then aklog worked. I then reestablished the firewall and opened TCP and UDP 
> ports 88, 749, 750, and 751. Now kinit worked but aklog did not. That is 
> where it stands from an authentication standpoint right now. Any idea which 
> ports need to be open for aklog ?

4444 (krb524d), most probably. You can strace aklog to find out for sure.

And of course you'll want to open some of UDP 7000-7011 for AFS itself;
especially 7001 inbound, since callbacks can occur a long time after any
outbound AFS traffic from your host so that even stateful firewalls can have
trouble with them.

Note that these are client-side requirements (you asked about aklog); 
the optimal firewall settings for a server will be different.

> # fs setacl /afs system:anyuser rl
> Now /afs is located on /, not /vicepa (Debian install set /afs up that way). 

/afs is a mount point. You need the AFS client to be running in order
for the fs command to work.

> Since /afs is not located in root.afs on /vicepa, why would I even want to or 
> be able to grant access rights to that (speaking as an afs administrator). 
> But if memory serves me right, the server partitions are usually mounted 
> under /afs. So, do I set a soft link ? Like ln -s /vicepa /afs ?

No, no, no. Just run
	/etc/init.d/openafs-client force-start
if it isn't already running. (I think it is. "pgrep -fl afsd" will tell.)

> Sure enough the above command leads to the following error :
> fs: You don't have the required access rights on '/afs'

Check your tokens. Note that this is exactly the symptom I had when I
was missing a krb.conf file. Other related symptoms included pts
subcommands failing unless they were invoked with -noauth.

Did you restart bosserver without -noauth, by the way? At this stage
you want to have full authentication support.

> I am logged in as root with zzz's kerberos credentials (that ought to be 
> the combination with the highest access privileges on this new system). What 
> do you think is going on ?
> omega:/# ls -ltr / | grep "afs"
> drwxrwxrwx    2 root root   2048 2005-08-10 11:11 afs
> omega:/# id
> uid=0(root) gid=0(root) groups=0(root)

tokens? (And you could at least set up a PAG with pagsh; no need for
*every* daemon on your system to have administrative access to your AFS
cell while you are working.)

> omega:/# ls -ltr /afs
> ls: /afs: Permission denied
> Thanks.
> PS : How about creating an openafscellnotequaltokerberosrealm wiki on 
> Wikipedia ?

There isn't that much to know: the AFS service principal obviously had 
better have the cell name as instance, and the cell->realm mapping needs 
to be configured (krb.conf). Maybe that can fit on an existing page of 
the AFS wiki? I looked for that information in the FAQ.