[OpenAFS] running an OpenAFS-Server behind an NAT firewall

Tobias Pfeiffer BoteDesSchattens@web.de
Thu, 16 Jun 2005 23:51:47 +0200

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit


See http://m24s08.vlinux.de/~tobi/public/afs-problems.png for what I
have built here. files.mycell.de houses AFS fileserver and dbserver as
well as a Heimdal KDC. This works almost quite fine.

Within the local network, I can kinit, get tickets and tokens and then
access the /afs file tree. From outside the local network, there is a
problem. I can kinit and obtain tickets and tokens. I can issue
arbitrary bos and pts commands, create new groups, users, whatever. But
I cannot access the /afs file tree. The problem is that when I try to
access a volume, the client asks the VLDB where this volume is located
and always gets as an answer. This is fine within the LAN,
but a problem outside of it, since.. well, where is *grin*
In my case, the client tried to access the volumes on my own client
machine, since I do have, too. See some output:

tobi@~ $ vos listvol mycell.dyndns.org
Total number of volumes on server mycell.dyndns.org partition /vicepa: 3
root.afs                          536870912 RW          3 K On-line
root.cell                         536870915 RW         59 K On-line
usr.tpfeiffer                     536870918 RW         12 K On-line

This is fine, isn't it?

tobi@~ $ vos listvldb
VLDB entries for all servers

     RWrite: 536870912
     number of sites -> 1
        server partition /vicepa RW Site

     RWrite: 536870915
     number of sites -> 1
        server partition /vicepa RW Site

     RWrite: 536870918
     number of sites -> 1
        server partition /vicepa RW Site

This is not, since you see that actually the IP is wrong.

Now the question: How can I resolve this? Can I get the dbserver to
telling the clients outside the LAN that there is a different fileserver
housing these volumes? Can I somehow do something on the router so that
packets that go outside containing information about the fileserver will
be modified? The whole cell is still in a very early stage, so there can
still be made some basic modifications of the LAN layout. I appreciate
any hints! Thanks!


Debian GNU/Linux Sarge has been released as stable!
  -- http://www.debian.de/News/2005/20050606

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.2.5 (GNU/Linux)