[OpenAFS] Newbie Question
Gary Bowling
gb@gbco.us
Fri, 02 May 2008 11:26:44 -0500
I found a bit more information that may point to my problem. In the
/var/log/krb5kdc.log log file I get the following errors. But I'm not
sure how to resolve.
May 02 11:19:26 homepc.gbco.us krb5kdc[2192](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16
tkt=16 ses=16}, admin@GBCO.US for krbtgt/GBCO.US@GBCO.US
May 02 11:19:26 homepc.gbco.us krb5kdc[2192](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16
tkt=16 ses=16}, admin@GBCO.US for krbtgt/GBCO.US@GBCO.US
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, admin@GBCO.US for
afs/gbco.us@GBCO.US, Server not found in Kerberos database
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, admin@GBCO.US for
afs/gbco.us@GBCO.US, Server not found in Kerberos database
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, admin@GBCO.US for
afs/gbco.us@GBCO.US, Server not found in Kerberos database
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, admin@GBCO.US for
afs/gbco.us@GBCO.US, Server not found in Kerberos database
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16 tkt=16
ses=1}, admin@GBCO.US for afs@GBCO.US
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16 tkt=16
ses=1}, admin@GBCO.US for afs@GBCO.US
____________________
Gary Bowling
GBCO.US
gb@gbco.us
____________________
Steve Devine wrote:
> Gary Bowling wrote:
>>
>> I'm a newbie to AFS, but have been an "IT guy" for a long time.
>> Trying to set this up in a lab to test to gain understanding of how
>> to use for one of my customers.
>>
>> My server is CentOS 5 and I'm almost there, but stuck at the every
>> end. Here's what I've done and where I'm stuck.
>>
>> - Installed all the appropriate kerberos and openafs tools via the
>> rpm repository, openafs version is 1.4.6.
>>
>> - Set up krb5.conf as follows:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = GBCO.US
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> GBCO.US = {
>> kdc = kerberos.gbco.us:88
>> admin_server = kerberos.gbco.us:749
>> default_domain = gbco.us
>> }
>>
>> [domain_realm]
>> .gbco.us = GBCO.US
>> gbco.us = GBCO.US
>>
>> [kdc]
>> profile = /var/kerberos/krb5kdc/kdc.conf
>>
>> [appdefaults]
>> afs_krb5 = {
>> GBCO.US = {
>> afs/GBCO.US = false
>> afs = false
>> }
>> }
>>
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>>
>> - set up /var/kerberos/krb5kdc/kdc.conf as follows:
>> [kdcdefaults]
>> v4_mode = nopreauth
>> kdc_tcp_ports = 88
>>
>> [realms]
>> GBCO.US = {
>> #master_key_type = des3-hmac-sha1
>> master_key_type = des-cbc-crc
>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>> dict_file = /usr/share/dict/words
>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-cr
>> c:normal des-cbc-crc:v4 des-cbc-crc:afs3
>> }
>>
>> - Set up /etc/pam.d/login and added the following line:
>>
>> auth sufficient /usr/lib/security/pam_afs.so
>> try_first_pass ignore_root
>>
>> - Ran kadmin.local -q "addprinc -randkey afs" - success!
>>
>> - Ran kadmin.local -q "ktadd -e des-cbc-crc:afs3 afs" - Success! with
>> kvno number 3
>>
>> - Ran asetkey add 3 /etc/krb5.keytab afs - Success!
>>
>> - Edited /etc/sysconfig/openafs and added the BOSSERVER_ARGS=-noauth
>> line and started openafs-server - Success!
>>
>> - Ran bos setcellname localhost gbco.us -noauth - Success and bos
>> listhosts localhost -noauth returns the cell name gbco.us and
>> hostname homepc.gbco.us which are both correct.
>>
>> - Ran bos create -server homepc.gbco.us -instance ptserver -type
>> simple -cmd /usr/afs/bin/ptserver -cell gbco.us -noauth - Success!
>>
>> - Ran kadmin.local -q "addprinc admin" - Success!
>>
>> - Ran bos adduser homepc.gbco.us admin -cell gbco.us -noauth - Success
>>
>> - Ran bos listkeys homepc.gbco.us -cell gbco.us -noauth - All looks
>> good as follows.
>> key 3 has cksum 2318139578
>> Keys last changed on Fri May 2 07:21:18 2008.
>> All done.
>>
>> - Ran pts createuser -name admin -cell gbco.us -noauth - Success!
>>
>> - Ran pts adduser admin system:administrators -cell gbco.us -noauth -
>> success
>>
>> - Ran pts membership admin -cell gbco.us -noauth - Looks good with
>> the following results.
>> Groups admin (id: 1) is a member of:
>> system:administrators
>>
>> - Ran bos create -server homepc.gbco.us -instance fs -type fs -cmd
>> /usr/afs/bin/fileserver -cmd /usr/afs/bin/volserver -cmd
>> /usr/afs/bin/salvager -cell gbco.us -noauth - Success!
>>
>> - Ran bos create -server homepc.gbco.us -instance vlserver -type
>> simple -cmd /usr/afs/bin/vlserver -cell gbco.us -noauth - Success!
>>
>> -Ran bos create -server homepc.gbco.us -instance buserver -type
>> simple -cmd /usr/afs/bin/buserver -cell gbco.us -noauth - Success!
>>
>> - Created /vicepa mount point and mounted - looks good.
>>
>> - Ran vos create -server homepc.gbco.us -partition /vicepa -name
>> root.afs -cell gbco.us -noauth - Success!
>>
>> - Ran bos status homepc.gbco.us fs -long -noauth - Looks good with
>> the following results..
>> Instance fs, (type is fs) currently running normally.
>> Auxiliary status is: file server running.
>> Process last started at Fri May 2 09:25:37 2008 (2 proc starts)
>> Command 1 is '/usr/afs/bin/fileserver'
>> Command 2 is '/usr/afs/bin/volserver'
>> Command 3 is '/usr/afs/bin/salvager'
>>
>> - Edited /etc/sysconfig/openafs and removed the "-noauth" - restarted
>> openafs-server in normal mode requiring authentication.
>>
>> - Started client
>>
>> - Ran kinit admin - put in pass - Success!
>>
>> - Ran klist - with the following results:
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin@GBCO.US
>>
>> Valid starting Expires Service principal
>> 05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/GBCO.US@GBCO.US
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>>
>> - Ran aklog - Success!
>>
>> - Ran tokens with the following results
>> Tokens held by the Cache Manager:
>>
>> User's (AFS ID 1) tokens for afs@gbco.us [Expires May 3 09:34]
>> --End of list--
>>
>> - Ran klist again and get
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin@GBCO.US
>>
>> Valid starting Expires Service principal
>> 05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/GBCO.US@GBCO.US
>> 05/02/08 09:35:38 05/03/08 09:34:21 afs@GBCO.US
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>>
>> - Ran fs checkvolumes - with the following results.
>> All volumeID/name mappings checked.
>>
>> - Ran fs setacl /afs system:anyuser rl - Received the following error...
>> fs: You don't have the required access rights on '/afs'
>>
>> I've done a number of subsequent things in kadmin and other places,
>> but am at a loss as to how to resolve. Any help would be appreciated.
>>
>> Thanks,
>> Gary
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
> Got admin in /usr/afs/etc/UserList ?
>