[OpenAFS] OpenAFS server possibly not using kdc for authentication?

Eric Bennett eric@umbralservices.com
Wed, 04 May 2005 00:09:08 +1000


Hi Guys,

I finally got it to work by just dropping the debian packages entirely 
and building from source, first, just to illustrate that point, to the 
best of my knowledge, this means the server is ok;

corvus:/afs# bos status corvus -long
Instance kaserver, (type is simple) currently running normally.
    Process last started at Tue May  3 23:51:59 2005 (1 proc starts)
    Command 1 is '/usr/local/libexec/openafs/kaserver'

Instance buserver, (type is simple) currently running normally.
    Process last started at Tue May  3 23:51:59 2005 (1 proc starts)
    Command 1 is '/usr/local/libexec/openafs/buserver'

Instance ptserver, (type is simple) currently running normally.
    Process last started at Tue May  3 23:51:59 2005 (1 proc starts)
    Command 1 is '/usr/local/libexec/openafs/ptserver'

Instance vlserver, (type is simple) currently running normally.
    Process last started at Tue May  3 23:51:59 2005 (1 proc starts)
    Command 1 is '/usr/local/libexec/openafs/vlserver'

Instance fs, (type is fs) currently running normally.
    Auxiliary status is: file server running.
    Process last started at Tue May  3 23:51:59 2005 (2 proc starts)
    Command 1 is '/usr/local/libexec/openafs/fileserver'
    Command 2 is '/usr/local/libexec/openafs/volserver'
    Command 3 is '/usr/local/libexec/openafs/salvager'

Instance upserver, (type is simple) currently running normally.
    Process last started at Tue May  3 23:51:59 2005 (1 proc starts)
    Command 1 is '/usr/local/libexec/openafs/upserver -crypt 
/usr/local/etc/openafs -clear /usr/local/bin'

corvus:/afs# mount
/dev/hda1 on / type ext3 (rw,errors=remount-ro)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/var/lib/openafs/vicepa on /vicepa type ext3 (rw,loop=/dev/loop0)
AFS on /afs type afs (rw)

corvus:/afs# ls -l /afs
total 1
-rw-r--r--  1 daemon root 8 2005-05-03 23:53 maeh
-rw-r--r--  1 daemon root 0 2005-05-03 23:57 meow

now when I try to access this server using the windows openafs client, I 
can obtain a token from kdc no problems, that shows up in 
/var/log/auth.log as;

May  3 09:02:42 localhost krb5kdc[16802]: PROCESS_V4:Initial ticket 
request Host: 203.201.104.55 User: "eric" ""
May  3 09:02:42 localhost krb5kdc[16802]: PROCESS_V4:INITIAL request 
from eric. for afs.

and shows that a ticket has been successfully retrieved, I can then 
mount the directory /afs to local drive mapping, in that drive path are 
two folders
umbralservices.com and .umbralservices.com

I can see none of the files that I put there to test, and I can't add 
anything, so I'm working on the hypothesis that the authentication from 
kerberos is actually for some reason not carrying over to the openafs 
server and I'm getting anonymous access here?

With that in mind, here is my pam configuration
/etc/pam.d/login
auth       requisite  pam_securetty.so
auth       requisite  pam_nologin.so
auth      sufficient /lib/security/pam_afs.so try_first_pass ignore_root
auth       required   pam_env.so
@include common-auth
@include common-account
@include common-session
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv
@include common-password

lrwxrwxrwx  1 root root 30 2005-05-03 16:59 /lib/security/pam_afs.so -> 
/lib/security/pam_afs.krb.so.1

Any ideas?

Regards
Eric