[OpenAFS] [1.3.86] heimdal/krb5 auth for BOS requests fails during
initial cell setup [SOLVED]
scorch
scorch@muse.net.nz
Wed, 17 Aug 2005 23:56:05 +0200
This is a multi-part message in MIME format.
--------------060801080103030103080503
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Morgan Hallgren said the following on 2005-08-17 18:25:
>Hi I have also some problem geting the AFS-token when the user kinit.
>Do I have to have the user in both kerberos and afs?
>
>
hi Morgan,
I've attached below the docs I made to help get you started.
basically, you need to have the arla client running already, thinking it points to 'your' cell, but not OpenAFS yet -- even if its not actually created yet. check /usr/vice/etc/ and /usr/afs/etc/ and /etc/afs/ -- depends on your OS where this trips you up. more details below on what I did.
Get a CLEAN kerberos setup - details below, and ensure you have this working first, using a kerberised telnet ideally. or openssh if you update sshd_config appropriately.
once this is going, get your arla client running to an existing cell near you. then update ThisCell to 'yours', reboot the client, and start working on --afslog after kinit.
when this is sweet then you can go on with OpenAFS.
If you don't have an AFS key thingy in your klist then get that sorted first.
e.g.
wavey@mercury:/usr/vice/etc $ klist -vT
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: wavey/afs@MUSE.NET.NZ
Cache version: 4
Server: krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Aug 17 21:28:02 2005
End time: Aug 17 23:08:21 2005 (expired)
Renew till: Aug 24 21:28:02 2005
Ticket flags: renewable, initial
Addresses: IPv4:10.0.0.9, IPv4:10.0.0.20
specifically this is needed:
*************** Server: afs/muse.net.nz@MUSE.NET.NZ ****************
Ticket etype: des-cbc-crc, kvno 1
Auth time: Aug 17 21:28:02 2005
End time: Aug 17 23:08:21 2005 (expired)
Ticket flags: transited-policy-checked
Addresses: IPv4:10.0.0.9, IPv4:10.0.0.20
I suspec that this is only listed when you have arla + OpenAFS up & running:
Aug 17 21:28:02 Aug 17 23:08:21 User's (AFS ID 1000) tokens for muse.net.nz (256)
anyway here is my baseline notes, the krb5.conf is attached to save the typing.
when you start from scratch, REMOVE your
/var/heimdal/*
/etc/kerberosV/krb5.keytab
/usr/afs/etc/KeyFile
/usr/vice/etc/KeyFile
/usr/afs/{db,local,logs}
/etc/afs/
this can be a MAJOR problem otherwise!
I also set up these aliases:
pafs='ps aux | grep -i afs'
local_bos='/usr/afs/bin/bosserver -log -enable_peer_stats -enable_process_stats -noauth; \
/usr/afs/bin/bos restart mercury.muse.net.nz -all -cell muse.net.nz -localauth; pafs'
no_bos='/usr/afs/bin/bos shutdown mercury.muse.net.nz -cell muse.net.nz -noauth; \
/usr/afs/bin/bos shutdown mercury.muse.net.nz -cell muse.net.nz -localauth; \
/usr/afs/bin/bosserver -log -enable_peer_stats -enable_process_stats -noauth; \
pkill -HUP bosserver; pafs'
KerberosV
===========================================================
http://www.openbsd.org/faq/faq10.html#Kerberos
http://www.pdc.kth.se/heimdal/heimdal.html
http://kula.public.iastate.edu/talks/afs-bpw-2005/afs-bpw-2005-iowa.html
file:/etc/rc
# not needed in OpenBSD3.7
/usr/libexec/kdc -config-file=/etc/kerberosV/krb5.conf
file:/etc/kerberosV/krb5.conf
[libdefaults]
default_realm = MUSE.NET.NZ
ticket_lifetime = 6000
clockskew = 300
[appdefaults]
afs-use-524 = no
afslog = yes
[realms]
MUSE.NET.NZ = {
supported_keytypes = des:normal des-cbc-crc:v4 des-cbc-crc:afs3
kdc = 3dogs.muse.net.nz
admin_server = 3dogs.muse.net.nz
kpasswd_server = 3dogs.muse.net.nz
}
[domain_realm]
.muse.net.nz = MUSE.NET.NZ
[kadmin]
default_keys = v5 afs3
afs-cell = muse.net.nz
[logging]
kadmind = FILE:/var/heimdal/kadmind.log
[kdc]
require-preauth = no
v4-realm = MUSE.NET.NZ
afs-cell = muse.net.nz
===========================================================
mkdir /var/heimdal
chmod 700 /var/heimdal
cd /var/heimdal
kstash
kadmin -l
init MUSE.NET.NZ
add wavey
add wavey/admin
add wavey/afs
add --random-key host/scorch.muse.net.nz
add --random-key host/3dogs.muse.net.nz
ext --keytab=/etc/kerberosV/krb5.keytab host/scorch.muse.net.nz
ext --keytab=/etc/kerberosV/krb5.keytab host/3dogs.muse.net.nz
exit
chmod 0400 /etc/kerberosV/krb5.keytab
sudo /usr/libexec/kdc &
sudo /usr/libexec/kadmind &
sudo /usr/libexec/kpasswdd &
file:/var/heimdal/kadmind.acl
wavey/admin@MUSE.NET.NZ all
muffin/admin@MUSE.NET.NZ all */
joe/admin@MUSE.NET.NZ all *@MUSE.NET.NZ
jim/admin@MUSE.NET.NZ all */*@MUSE.NET.NZ
jon/admin@MUSE.NET.NZ change-password *@MUSE.NET.NZ
for each host to be member of KRB realm
===========================================================
use same /etc/kerberosV/krb5.conf
sudo kadmin -p wavey/admin@MUSE.NET.NZ
add --random-key host/mercury.muse.net.nz
ext --keytab=/etc/kerberosV/krb5.keytab host/mercury.muse.net.nz
exit
chmod 0400 /etc/kerberosV/krb5.keytab
kinit -fp --afslog wavey
klist -vT
telnet -afxdl wavey scorch
then the following for OpenAFS:
ARLA Client
===========================================================
file:/etc/rc.conf.local
afs=YES
echo muse.net.nz> /etc/afs/ThisCell
cd /etc/afs; wget http://grand.central.org/dl/cellservdb/CellServDB
>ualberta.ca # University of Alberta -- /afs/ualberta.ca/mirror/openbsd/
129.128.1.131 #file13.ucs.ualberta.ca
129.128.98.17 #mystery.ucs.ualberta.ca
129.128.125.40 #drake-en0.ucs.ualberta.ca
>stacken.kth.se # RIT Comp Club -- /afs/stacken.kth.se/ftp/pub/OpenBSD/
130.237.234.3 #milko.stacken.kth.se
130.237.234.43 #hot.stacken.kth.se
130.237.237.230 #fishburger.stacken.kth.se
>su.se # Stockholm Uni -- /afs/su.se/services/ftp/pub/OpenBSD
130.237.162.81 #afsdb1.su.se
130.237.162.82 #afsdb2.su.se
130.237.162.230 #afsdb3.su.se
>muse.net.nz # dave & veronika -- /afs/muse.net.nz/
10.0.0.9 #mercury.muse.net.nz
#10.0.0.2 #scorch.muse.net.nz
#10.0.0.20 #straylight.muse.net.nz
#10.0.0.21 #wintermute.muse.net.nz
#10.0.0.22 #sendai.muse.net.nz
echo -n 'mounting afs:'
mkdir -p -m 0755 /afs
mount -t xfs /dev/xfs0 /afs
/usr/libexec/afsd &
/usr/libexec/afsd --dynroot --log=/var/log/afsd.log --fake-mp --fake-stat --no-recover &
cd /afs/su.se/services/ftp/pub/OpenBSD
GET THE SOURCE AND MAKE BUILD
===========================================================
cvs -d:pserver:anonymous@cvs.openafs.org:/cvs login
anonymous
cvs -z9 -d:pserver:anonymous@cvs.openafs.org:/cvs co -PA openafs
chgrp -R wsrc .
#find . -type d | xargs chmod 775
#find . -type f | xargs chmod 664
./configure --enable-transarc-paths --enable-fast-restart --enable-bitmap-later --quiet --enable-debug --enable-bos-new-config --enable-supergroups --enable-namei-fileserver --disable-kernel-module
Create AFS Service Accounts
===========================================================
mkdir -p /usr/afs/etc
kadmin
list host/mercury.muse.net.nz afs*
add --random-key afs/muse.net.nz
ext -k /tmp/afsv5key afs/muse.net.nz
ext -k /tmp/afsv5key afs
exit
ktutil -v copy /tmp/afsv5key AFSKEYFILE:/usr/afs/etc/KeyFile
CONFIGURING OpenAFS
===========================================================
http://www.openafs.org/pages/doc/QuickStartUnix/auqbg005.htm#HDRWQ50
http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html
http://wiki.bsd-crew.de/index.php/OpenAFS_unter_NetBSD#Compiling_OpenAFS
http://www.pdc.kth.se/heimdal/heimdal.html#Testing-clients-and-servers
http://www.slac.stanford.edu/~alfw/kerb5.html
http://grand.central.org/twiki/bin/view/AFSLore/InstallingtheFirstAFSMachine
echo muse.net.nz> /usr/afs/etc/ThisCell
file:/usr/afs/etc/CellServDB
>muse.net.nz # muse.net.nz
10.0.0.9 #mercury.muse.net.nz
# create & auto-start the daemons
alias pafs='ps aux | grep afs'
cd /usr/afs/bin
/usr/afs/bin/bosserver -log -enable_peer_stats -enable_process_stats -noauth
/usr/afs/bin/bos setcellname mercury.muse.net.nz muse.net.nz -noauth
less /usr/afs/etc/ThisCell
less /usr/afs/etc/CellServDB
/usr/afs/bin/bos listhosts mercury.muse.net.nz -noauth
/usr/afs/bin/bos create mercury.muse.net.nz \
buserver simple /usr/afs/bin/buserver \
-cell muse.net.nz -noauth
/usr/afs/bin/bos create mercury.muse.net.nz \
ptserver simple /usr/afs/bin/ptserver \
-cell muse.net.nz -noauth
/usr/afs/bin/bos create mercury.muse.net.nz \
vlserver simple /usr/afs/bin/vlserver \
-cell muse.net.nz -noauth
pafs
# grant admin rights on cell
/usr/afs/bin/pts createuser -name wavey.afs -cell muse.net.nz -noauth
/usr/afs/bin/pts createuser -name wavey -cell muse.net.nz -noauth
/usr/afs/bin/pts adduser wavey system:administrators -cell muse.net.nz -noauth
/usr/afs/bin/pts adduser wavey.afs system:administrators -cell muse.net.nz -noauth
/usr/afs/bin/pts mem system:administrators -cell muse.net.nz -noauth
# grant admin rights on local fileserver if not done above
/usr/afs/bin/bos adduser mercury.muse.net.nz wavey -cell muse.net.nz -noauth
/usr/afs/bin/bos adduser mercury.muse.net.nz wavey.afs -cell muse.net.nz -noauth
/usr/afs/bin/bos listkeys mercury.muse.net.nz -cell muse.net.nz -noauth
restart BOS with authentication
===========================================================
cd /usr/afs/bin
/usr/afs/bin/bos shutdown mercury.muse.net.nz -cell muse.net.nz -noauth -wait
/usr/afs/bin/bos status mercury.muse.net.nz -cell muse.net.nz -noauth -long
pafs
pkill -HUP bosserver
### mount /vicepa
### kinit wavey/afs to get afs privileged tokens
/usr/afs/bin/bosserver -log -enable_peer_stats -enable_process_stats
/usr/afs/bin/bos restart mercury.muse.net.nz -all -cell muse.net.nz
create FS instance
===========================================================
/usr/afs/bin/bos create mercury.muse.net.nz fs fs \
/usr/afs/bin/fileserver \
/usr/afs/bin/volserver \
/usr/afs/bin/salvager \
-cell muse.net.nz
create AFS root volume
===========================================================
cd /usr/afs/bin
/usr/afs/bin/vos listpart mercury.muse.net.nz
/usr/afs/bin/vos create mercury.muse.net.nz /vicepa root.afs \
-cell muse.net.nz -verbose
/usr/afs/bin/vos create mercury.muse.net.nz /vicepa root.cell \
-cell muse.net.nz -verbose
/usr/afs/bin/vos listvol -server mercury
/usr/afs/bin/fs setacl /afs system:administrators rlidwka
/usr/afs/bin/fs setacl /afs system:anyuser rl
/usr/afs/bin/fs mkmount /afs/muse.net.nz root.cell
/usr/afs/bin/fs setacl /afs/muse.net.nz system:administrators rlidwka
/usr/afs/bin/fs setacl /afs/muse.net.nz system:anyuser rl
/usr/afs/bin/fs mkmount /afs/.muse.net.nz root.cell -rw
/usr/afs/bin/fs mkmount -dir /afs/su.se -vol root.cell -cell su.se -fast
/usr/afs/bin/fs mkmount -dir /afs/ualberta.ca -vol root.cell -cell ualberta.ca -fast
/usr/afs/bin/fs mkmount -dir /afs/stacken.kth.se -vol root.cell -cell stacken.kth.se -fast
/usr/afs/bin/pts removeuser wavey system:administrators -cell muse.net.nz
debugging
===========================================================
/usr/afs/bin/bosserver -log -enable_peer_stats -enable_process_stats -nofork
config files
===========================================================
file:/usr/afs/etc/CellServDB
# /afs/muse.net.nz/
>muse.net.nz # dave & veronika
10.0.0.9 #mercury.muse.net.nz
#10.0.0.20 #straylight.muse.net.nz
#10.0.0.21 #wintermute.muse.net.nz
#10.0.0.22 #sendai.muse.net.nz
# /afs/ualberta.ca/mirror/openbsd/
>ualberta.ca # University of Alberta
129.128.1.131 #file13.ucs.ualberta.ca
129.128.98.17 #mystery.ucs.ualberta.ca
129.128.125.40 #drake-en0.ucs.ualberta.ca
# /afs/stacken.kth.se/ftp/pub/OpenBSD/
>stacken.kth.se # Royal Institute of Technology Computer Club
130.237.234.3 #milko.stacken.kth.se
130.237.234.43 #hot.stacken.kth.se
130.237.237.230 #fishburger.stacken.kth.se
# /afs/su.se/services/ftp/pub/OpenBSD
>su.se # Stockholm University
130.237.162.81 #afsdb1.su.se
130.237.162.82 #afsdb2.su.se
130.237.162.230 #afsdb3.su.se
file:/usr/afs/etc/ThisCell
muse.net.nz
file:/usr/afs/etc/SuidCells
file:/usr/afs/etc/CellAlias
muse.net.nz muse
file:/usr/afs/etc/afsd.conf
high_vnodes 12000
low_vnodes 9000
high_bytes 128M
low_bytes 64M
numcreds 100
numconns 100
numvols 100
fetch_block 4M
file:/usr/vice/etc/
CellServDB -> /usr/afs/etc/CellServDB
KeyFile -> /usr/afs/etc/KeyFile
ThisCell -> /usr/afs/etc/ThisCell
libafs.o
file:/etc/afs/
CellServDB -> /usr/afs/etc/CellServDB
SuidCells -> /usr/afs/etc/SuidCells
ThisCell -> /usr/afs/etc/ThisCell
afsd.conf -> /usr/afs/etc/afsd.conf
file:/etc/rc.local
# start OpenAFSD
if [ "X${openafsd_flags}" != X"NO" ]; then
echo 'starting OpenAFS daemons...'; /usr/afs/bin/bosserver ${openafsd_flags}
fi
file:/etc/rc.conf.local
### start AFS server
openafsd_flags="-log"
cheers, scorch
--
out of the frying pan and into the fire
--------------060801080103030103080503
Content-Type: text/plain;
name="krb5.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="krb5.conf"
# $OpenBSD: krb5.conf.example,v 1.6 2005/02/07 06:08:10 david Exp $
#
# Example Kerberos 5 configuration file. You may need to change the defaults
# in this file to match your environment.
#
# See krb5.conf(5) and the heimdal infopage for more information.
#
# Normally, the realm should be your DNS domain name with uppercase
# letters. In this example file, we've written the realm as MY.REALM
# and the domain as my.domain to make it clear what we refer to.
#
# Normally, it is not necessary to do any changes on client-only
# machines, as it's recommended that the information needed is put
# in DNS.
# On server machines, it is not strictly necessary, but it is recommended
# to have local configuration.
#
[libdefaults]
default_realm = MUSE.NET.NZ
ticket_lifetime = 6000
clockskew = 300
[appdefaults]
afs-use-524 = no
afslog = yes
[realms]
MUSE.NET.NZ = {
supported_keytypes = des:normal des-cbc-crc:v4 des-cbc-crc:afs3
kdc = 3dogs.muse.net.nz
admin_server = 3dogs.muse.net.nz
kpasswd_server = 3dogs.muse.net.nz
}
[domain_realm]
.muse.net.nz = MUSE.NET.NZ
[kadmin]
default_keys = v5 afs3
afs-cell = muse.net.nz
[logging]
kadmind = FILE:/var/heimdal/kadmind.log
[kdc]
require-preauth = no
v4-realm = MUSE.NET.NZ
afs-cell = muse.net.nz
--------------060801080103030103080503--