[OpenAFS] Debian - openafs -noauth problems

Madhusudan Singh singh.madhusudan@gmail.com
Fri, 12 Aug 2005 15:01:22 -0400


	Thanks for your response.
> That's OK, but by "follow" I didn't necessarily mean "run". One can also
> read the script as documentation and type in the commands by hand.

Point taken.

> > > One aspect that I found to be insufficiently documented is the need to
> > > write your realm name in /etc/openafs/server/krb.conf . It's been
> >
> > Isn't krb.conf supposed to be present in /etc instead (I have it present
> > there, and authentication seems to be "working" (read on)) ?
> Covered in the mailing list archives. If you have an /etc/krb.conf on
> your server for other reasons (generic Kerberos 4 support, presumably,
> but that's getting out of fashion) and the realm for your cell is the
> first one listed in that file, then indeed you don't need a separate
> krb.conf in /etc/openafs/server.


> > Then aklog worked. I then reestablished the firewall and opened TCP and
> > UDP ports 88, 749, 750, and 751. Now kinit worked but aklog did not. That
> > is where it stands from an authentication standpoint right now. Any idea
> > which ports need to be open for aklog ?
> 4444 (krb524d), most probably. You can strace aklog to find out for sure.

Yes, indeed it is 4444 (the port number). Is it TCP or UDP ? I have opened 
both, and now I see :

aklog: unable to obtain tokens for cell omega.domain.edu (status: a pioctl 

I opened both 4444 and 7001 using guarddog and somehow an nmap scan of the 
open UDP ports does not reveal them to be open.

<Lot of excellent advice snipped>