[OpenAFS] Re: Win2K AFS server, setup SL4.5 test-cell server then migrate...

avison48 avison48@yahoo.co.uk
Sat, 13 Sep 2008 17:54:05 +0000 (GMT)


Still working on this.

Jason said:
> These instructions might help.
> http://www.dementia.org/twiki/bin/view/AFSLore/FedoraAFSInstall

They look clear, thank you for pointer Jason! Except they still assume you
own & manage your own Unix KDC, which is not true here.

The new test machine has same AFS cell name as production server, all real
clients look to the production server & I can build a test client to look
to this test server. Right now the only client is on the test AFS server

Um! on the real Win2K server, the new test server vlad appears in the top
GUI window alongside the real Win2K AFS server! It doesn't see any volumes=
or partitions but does show the Unix processes. So somehow they are
communicating. Bit worried about that.

Sergio Gelato said
> How much downtime (if any) are you willing to accept for your cell?

None, in production hours, but weekends def possible.

> My favourite cell setup instructions are the ones that ship as part of
> the Debian OpenAFS packages. The reason is that they don't require you
> to use the -noauth switch.

When I looked at this, the only "instructions" for configure of a new afs
server were: "Run afs-newcell" & "Run afs-rootvol" which are perl scripts.=
Is that what you mean?

Jason said:
> You don't need to set up a KDC, but you must make sure that the
> Linux server can kinit against the AD servers.

Stuck there. Servers are running, no errors in logfiles (that I can see);
client proccesses running, but start with error:
afsd: Can't mount AFS on /afs(22)

/afs is empty underneath - no afs cellname. CellServDB & ThisCell are=20
correct. Haven't figured this out yet, pointers welcome.

Next they say login to Kerberos then AFS:

root@vlad> kinit admin
kinit(v5): Client not found in Kerberos database while getting initial cred=

No matter what variant tried, that's the response.

On the production Win2K AFS server, the AFS administrative account is=20
'admin' so it's just an assumption that's the kerberos principal name=20
having to do with our AFS service??

I'm still semi-puzzled if AFS accounts are separate from kerberos accounts,
or not. They must be, accounts have diff pw within AFS than in Kerberos (or
ADS, which I presume  in our context 'acts' like Kerberos) & there are=20
accounts on our AFS server that definitely don't exist in Kerberos.

So does AFS/Kerberos work such that the afs account "admin" on the Win2K AF=
S server is guaranteed to be an account existing in Kerberos having to do=
with AFS, & that the pw for the AFS account admin will =3D Kerberos (or=20
kinit) pw?

I wonder if, for instance, kerberos account 'admin' may have to do with=20
admin of Kerberos/ADS, in which case only the KDC admin will know it &=20
there must be some other KDC/ADS 'afs-admin' related account. I'll ask him =
but I think he knows nearly nothing about this AFS server setup long ago.

root@vlad> aklog
aklog: Couldn't get <cellname> AFS tickets:
aklog: unknown RPC error (-1765328189) while getting AFS tickets

Haven't figured that out at all.

Even klog doesn't work:

root@vlad> klog admin
[ hangs a long time ]
Unable to authenticate to AFS because Authentication Server was Unavailable

On production AFS client machines klog admin works & tokens shows the right
AFS ID & afs@<cellname> so the problem is my test machine vlad &/or the KDC
not wanting to respond to it.

The KDC is Win2003 server. I can login to it & look at logs. Nothing in
EventLog looks relevant, or even timestamped at the time I'm testing. The
only software that looks like it's doing KDC things is Active Directory.=20
I'd like to find relevant kdc/ads logfiles but only EventLog so far.

Or does it sound like vlad my test AFS server is not contacting the Win2003
kerberos server at all?

On vlad, /etc/krb.conf has the ADS domain & server:port looking good.
/etc/krb5.conf looks good & I can confirm it authenticates my user login
account to the Win2003 KDC ok (timestamps match SYSTEM entries in SecurityL=

krb.realms is not relevant??? (as distributed it's very sparse).

Since this ADS/KDC talks to IBM AFS 3.5, could it be tweaked such that
it can't communicate properly with this modern openafs server?

Some googling suggested that on KDC WINNT\system32\drivers\etc\hosts
might need to contain the Unix afs server ip+name; but it doesn't contain=
the win2K AFS ip+name. (But that's k4.)
I wouldn't dare change anything on the KDC myself.

Hints/advice/pointers gratefully welcomed!