[OpenAFS] Newbie question.
Thomas Kula
kula@tproa.net
Mon, 21 Jul 2008 13:12:52 -0400
On Mon, Jul 21, 2008 at 11:25:13AM +0100, Max Lock wrote:
>
> Hi Folks,
> I'm very near completing my first openafs setup. I've installed the
> MIT kerberos 5 service and the openafs service on seperate debian
> machines, as I plan to add extra AFS cells in the near future. having
> looked at two howto's..
> * [1]http://www.gentoo.org/doc/en/openafs.xml
> * [2]http://www.scode.org/afs/openafs-install.txt
> I'm able to obtain kerberos keys on a client just fine. However I'm
> unsure how to 'link' openafs and kerberos together. Both howto's
> assume a single server is running both systems and use asetkey to copy
> a kerberos key into afs (asetkey add <n> /etc/krb5.keytab afs) so I
> copied over the keytab file from the kerberos server to complete this
> step. Was this correct?
Yes, that will work. asetkey reads the principal from the keytab
and turns it into a KeyFile for use by the AFS server processes.
Essentially, take a copy of whatever keytab you put the afs
principal in, put it on one of your AFS server machines, and
run asetkey. Note that you only have to do this once, after the
KeyFile is created you can simply copy that over to any new AFS
server machines.
Note that you most likely do not want to call your principal
"afs@REALM" but rather "afs/cell@REALM" --- the latter is the
modern convention, is tried first by most things nowadays,
and facilitates having multiple AFS cells serviced by a single
Kerberos realm.
--
Thomas L. Kula | kula@tproa.net | http://kula.tproa.net/
Mathom House in Midtown, The People's Republic of Ames