[OpenAFS] OpenAFS server possibly not using kdc for authentication?
Eric Bennett
eric@umbralservices.com
Wed, 04 May 2005 00:09:08 +1000
Hi Guys,
I finally got it to work by just dropping the debian packages entirely
and building from source, first, just to illustrate that point, to the
best of my knowledge, this means the server is ok;
corvus:/afs# bos status corvus -long
Instance kaserver, (type is simple) currently running normally.
Process last started at Tue May 3 23:51:59 2005 (1 proc starts)
Command 1 is '/usr/local/libexec/openafs/kaserver'
Instance buserver, (type is simple) currently running normally.
Process last started at Tue May 3 23:51:59 2005 (1 proc starts)
Command 1 is '/usr/local/libexec/openafs/buserver'
Instance ptserver, (type is simple) currently running normally.
Process last started at Tue May 3 23:51:59 2005 (1 proc starts)
Command 1 is '/usr/local/libexec/openafs/ptserver'
Instance vlserver, (type is simple) currently running normally.
Process last started at Tue May 3 23:51:59 2005 (1 proc starts)
Command 1 is '/usr/local/libexec/openafs/vlserver'
Instance fs, (type is fs) currently running normally.
Auxiliary status is: file server running.
Process last started at Tue May 3 23:51:59 2005 (2 proc starts)
Command 1 is '/usr/local/libexec/openafs/fileserver'
Command 2 is '/usr/local/libexec/openafs/volserver'
Command 3 is '/usr/local/libexec/openafs/salvager'
Instance upserver, (type is simple) currently running normally.
Process last started at Tue May 3 23:51:59 2005 (1 proc starts)
Command 1 is '/usr/local/libexec/openafs/upserver -crypt
/usr/local/etc/openafs -clear /usr/local/bin'
corvus:/afs# mount
/dev/hda1 on / type ext3 (rw,errors=remount-ro)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/var/lib/openafs/vicepa on /vicepa type ext3 (rw,loop=/dev/loop0)
AFS on /afs type afs (rw)
corvus:/afs# ls -l /afs
total 1
-rw-r--r-- 1 daemon root 8 2005-05-03 23:53 maeh
-rw-r--r-- 1 daemon root 0 2005-05-03 23:57 meow
now when I try to access this server using the windows openafs client, I
can obtain a token from kdc no problems, that shows up in
/var/log/auth.log as;
May 3 09:02:42 localhost krb5kdc[16802]: PROCESS_V4:Initial ticket
request Host: 203.201.104.55 User: "eric" ""
May 3 09:02:42 localhost krb5kdc[16802]: PROCESS_V4:INITIAL request
from eric. for afs.
and shows that a ticket has been successfully retrieved, I can then
mount the directory /afs to local drive mapping, in that drive path are
two folders
umbralservices.com and .umbralservices.com
I can see none of the files that I put there to test, and I can't add
anything, so I'm working on the hypothesis that the authentication from
kerberos is actually for some reason not carrying over to the openafs
server and I'm getting anonymous access here?
With that in mind, here is my pam configuration
/etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
auth required pam_env.so
@include common-auth
@include common-account
@include common-session
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
@include common-password
lrwxrwxrwx 1 root root 30 2005-05-03 16:59 /lib/security/pam_afs.so ->
/lib/security/pam_afs.krb.so.1
Any ideas?
Regards
Eric