[OpenAFS] Re: Win2K AFS server, setup SL4.5 test-cell server then migrate...

Sergio Gelato Sergio.Gelato@astro.su.se
Tue, 16 Sep 2008 01:08:35 +0200

* avison4
 [2008-09-13 17:54:05 +0000]:
> Sergio Gelato said
> > My favourite cell setup instructions are the ones that ship as part of
> > the Debian OpenAFS packages. The reason is that they don't require you
> > to use the -noauth switch.
> When I looked at this, the only "instructions" for configure of a new afs
> server were: "Run afs-newcell" & "Run afs-rootvol" which are perl scripts. 
> Is that what you mean?

I also see /usr/share/doc/openafs-dbserver/README.servers.gz and
Besides, the perl scripts may be executable but they can also be
studied as documentation (and modified to meet local needs).

> Jason said:
> > You don't need to set up a KDC, but you must make sure that the
> > Linux server can kinit against the AD servers.
> Stuck there. Servers are running, no errors in logfiles (that I can see);
> client proccesses running, but start with error:
> afsd: Can't mount AFS on /afs(22)

That's (at least superficially) a client-side problem. I'd check that
the kernel module is properly loaded. If you aren't using -dynroot, then
maybe your client has trouble getting to the root.afs volume of its
default cell (did you remember to create that volume?)

> Next they say login to Kerberos then AFS:
> root@vlad> kinit admin
> kinit(v5): Client not found in Kerberos database while getting initial credentials
> No matter what variant tried, that's the response.

The information you gave in the rest of the message shows pretty conclusively 
that your old cell has *not* been fully migrated to Kerberos 5.
I think that's the source of your confusion. 

If you want to replicate the current state of your old cell, you'll have
to run a kaserver. But that solution is not future-proof: kaserver (and
indeed Kerberos 4) is deprecated. You should plan on moving to Kerberos

You don't need the AFS administration account to be called "admin".
Any principal(s) listed in the cell's UserList file will have
administrative privileges.