[OpenAFS] RHEL4 kdc/afs server - using "afs" vs "afs/<cellname>" in kerberos

Jason Edgecombe jason@rampaginggeek.com
Sun, 21 Sep 2008 13:35:35 -0400

avison48 wrote:
> Thank you very much Sergio (and Jason for F9 pointer)! 
> I gave up on using the microsoft KDC server for now & as someone suggested followed the Fedora9 instructions to do as they do, own+operate RHEL kdc server on the new (test) AFS server itself to get everything working. 
> Doing this, things are progressing further.
> But it seems just using "afs" is insufficient on RHEL :
> root@vlad> kadmin.local -q "addprinc -randkey afs"
> Authenticating as principal root/admin@KTEST.PHY with password.
> WARNING: no policy specified for afs@KTEST.PHY; defaulting to no policy
> Principal "afs@KTEST.PHY" created.
> Because down the road aklog failed:
> aklog: Couldn't get atest.phy AFS tickets:
> aklog: unknown RPC error (-1765328377) while getting AFS tickets
> Based on the error in /var/log/krb5kdc.log:
> UNKNOWN_SERVER: authtime 1222007068,  admin@KTEST.PHY for
> afs/atest.phy@KTEST.PHY, Server not found in Kerberos database
> it seems pretty obvious there was a difference between
> Principal "afs@KTEST.PHY"
> and
> afs/atest.phy@KTEST.PHY
> So the solution was to instead use afs/<cellname>
> root@vlad> kadmin.local -q "addprinc -randkey afs/atest.phy"

I see both atest.phy and ktest.phy used as the cell/realm name. They
should be the same. Since you are setting up your own KDC, be sure to
use a different realm name from the production realm.  subdomains work
well for this.
> Then aklog works. (Is there a different/better solution?)
> But then next step fs setacl doesn't:
> root@vlad> fs setacl /afs system:anyuser rl
> fs: You don't have the required access rights on '/afs'
You're client is probably configured for dynamic root mode. The above
command will fail in that case. You can either disable dynroot mode by
editing /etc/sysconfig/openafs temporarily and rebooting. Another option
is to skip this step and proceed to "fs setacl /afs/example.com" and
then mount the root.afs under /afs/example.com long enough to set the acls.
> I've reproduced this on another test server, exactly.
> Can anyone clarify using afs in the kerberos commands vs afs/<cellname> ??
afs/cellname is the newer and preferred convention. it allows for
multiple cells per realm. newer clients will try
afs/example.com@EXAMPLE.COM then afs@EXAMPLE.COM.  I'm not sure why
afs@EXAMPLE.COM didn't work.

>> I also see /usr/share/doc/openafs-dbserver/README.servers.gz and
>> /usr/share/doc/openafs-dbserver/configuration-transcript.txt.gz.
> These appear to be un-RHEL things - no such package openafs-docs for RHEL.
> Could you send them to me somehow?
> The posting & perl scripts listed on
>   http://lists.openafs.org/pipermail/openafs-info/2005-August/019061.html
> are somewhat useful, if they're not out of date.
> Very grateful thanks for all for hints+help.
Those files are part of the debian packaging. You can find them in CVS
or at
just click on the link for the version of the file.