[OpenAFS] Newbie question.

Thomas Kula kula@tproa.net
Mon, 21 Jul 2008 13:12:52 -0400

On Mon, Jul 21, 2008 at 11:25:13AM +0100, Max Lock wrote:
>    Hi Folks,
>    I'm  very  near  completing my first openafs setup. I've installed the
>    MIT  kerberos  5  service  and  the openafs service on seperate debian
>    machines,  as I plan to add extra AFS cells in the near future. having
>    looked at two howto's..
>    * [1]http://www.gentoo.org/doc/en/openafs.xml
>    * [2]http://www.scode.org/afs/openafs-install.txt
>    I'm  able  to  obtain kerberos keys on a client just fine. However I'm
>    unsure  how  to  'link'  openafs  and  kerberos together. Both howto's
>    assume a single server is running both systems and use asetkey to copy
>    a  kerberos  key  into afs (asetkey add <n> /etc/krb5.keytab afs) so I
>    copied  over the keytab file from the kerberos server to complete this
>    step. Was this correct?

Yes, that will work. asetkey reads the principal from the keytab
and turns it into a KeyFile for use by the AFS server processes.
Essentially, take a copy of whatever keytab you put the afs
principal in, put it on one of your AFS server machines, and
run asetkey. Note that you only have to do this once, after the
KeyFile is created you can simply copy that over to any new AFS
server machines. 

Note that you most likely do not want to call your principal 
"afs@REALM" but rather "afs/cell@REALM" --- the latter is the
modern convention, is tried first by most things nowadays,
and facilitates having multiple AFS cells serviced by a single
Kerberos realm.

Thomas L. Kula | kula@tproa.net | http://kula.tproa.net/
Mathom House in Midtown, The People's Republic of Ames