[OpenAFS] Re: Win2K AFS server, setup SL4.5 test-cell server then migrate...
Sergio Gelato
Sergio.Gelato@astro.su.se
Tue, 16 Sep 2008 01:08:35 +0200
* avison4
[2008-09-13 17:54:05 +0000]:
> Sergio Gelato said
> > My favourite cell setup instructions are the ones that ship as part of
> > the Debian OpenAFS packages. The reason is that they don't require you
> > to use the -noauth switch.
>
> When I looked at this, the only "instructions" for configure of a new afs
> server were: "Run afs-newcell" & "Run afs-rootvol" which are perl scripts.
> Is that what you mean?
I also see /usr/share/doc/openafs-dbserver/README.servers.gz and
/usr/share/doc/openafs-dbserver/configuration-transcript.txt.gz.
Besides, the perl scripts may be executable but they can also be
studied as documentation (and modified to meet local needs).
> Jason said:
> > You don't need to set up a KDC, but you must make sure that the
> > Linux server can kinit against the AD servers.
>
> Stuck there. Servers are running, no errors in logfiles (that I can see);
> client proccesses running, but start with error:
> afsd: Can't mount AFS on /afs(22)
That's (at least superficially) a client-side problem. I'd check that
the kernel module is properly loaded. If you aren't using -dynroot, then
maybe your client has trouble getting to the root.afs volume of its
default cell (did you remember to create that volume?)
> Next they say login to Kerberos then AFS:
>
> root@vlad> kinit admin
> kinit(v5): Client not found in Kerberos database while getting initial credentials
>
> No matter what variant tried, that's the response.
The information you gave in the rest of the message shows pretty conclusively
that your old cell has *not* been fully migrated to Kerberos 5.
I think that's the source of your confusion.
If you want to replicate the current state of your old cell, you'll have
to run a kaserver. But that solution is not future-proof: kaserver (and
indeed Kerberos 4) is deprecated. You should plan on moving to Kerberos
5 ASAP.
You don't need the AFS administration account to be called "admin".
Any principal(s) listed in the cell's UserList file will have
administrative privileges.