[OpenAFS] RHEL4 kdc/afs server - using "afs" vs "afs/<cellname>" in kerberos

avison48 avison48@yahoo.co.uk
Sun, 21 Sep 2008 16:56:44 +0000 (GMT)

Thank you very much Sergio (and Jason for F9 pointer)!=20
I gave up on using the microsoft KDC server for now & as someone suggested =
followed the Fedora9 instructions to do as they do, own+operate RHEL kdc se=
rver on the new (test) AFS server itself to get everything working.=20
Doing this, things are progressing further.

But it seems just using "afs" is insufficient on RHEL :

root@vlad> kadmin.local -q "addprinc -randkey afs"
Authenticating as principal root/admin@KTEST.PHY with password.
WARNING: no policy specified for afs@KTEST.PHY; defaulting to no policy
Principal "afs@KTEST.PHY" created.

Because down the road aklog failed:
aklog: Couldn't get atest.phy AFS tickets:
aklog: unknown RPC error (-1765328377) while getting AFS tickets

Based on the error in /var/log/krb5kdc.log:
UNKNOWN_SERVER: authtime 1222007068,  admin@KTEST.PHY for
afs/atest.phy@KTEST.PHY, Server not found in Kerberos database

it seems pretty obvious there was a difference between
Principal "afs@KTEST.PHY"
So the solution was to instead use afs/<cellname>

root@vlad> kadmin.local -q "addprinc -randkey afs/atest.phy"

Then aklog works. (Is there a different/better solution?)
But then next step fs setacl doesn't:

root@vlad> fs setacl /afs system:anyuser rl
fs: You don't have the required access rights on '/afs'

I've reproduced this on another test server, exactly.

Can anyone clarify using afs in the kerberos commands vs afs/<cellname> ??

RHEL debugging hints welcome!

> I also see /usr/share/doc/openafs-dbserver/README.servers.gz and
> /usr/share/doc/openafs-dbserver/configuration-transcript.txt.gz.

These appear to be un-RHEL things - no such package openafs-docs for RHEL.
Could you send them to me somehow?
The posting & perl scripts listed on
are somewhat useful, if they're not out of date.

Very grateful thanks for all for hints+help.