[OpenAFS] Re: RHEL4 kdc/afs server - using "afs" vs "afs/<cellname>" in kerberos

Sergio Gelato Sergio.Gelato@astro.su.se
Sun, 21 Sep 2008 20:00:37 +0200

* avison48 [2008-09-21 16:56:44 +0000]:
> Thank you very much Sergio (and Jason for F9 pointer)! 
> I gave up on using the microsoft KDC server for now & as someone suggested followed the Fedora9 instructions to do as they do, own+operate RHEL kdc server on the new (test) AFS server itself to get everything working. 
> Doing this, things are progressing further.
> But it seems just using "afs" is insufficient on RHEL :

RHEL is not to blame for this.

Your cell name appears to be atest.phy, and your realm name (KTEST.PHY)
doesn't match that cell name. aklog only tries the afs@REALM principal when
strcasecmp(cell_to_use, realm_of_cell) == 0.

> root@vlad> kadmin.local -q "addprinc -randkey afs"
> Authenticating as principal root/admin@KTEST.PHY with password.
> WARNING: no policy specified for afs@KTEST.PHY; defaulting to no policy
> Principal "afs@KTEST.PHY" created.
> Because down the road aklog failed:
> aklog: Couldn't get atest.phy AFS tickets:
> aklog: unknown RPC error (-1765328377) while getting AFS tickets
> Based on the error in /var/log/krb5kdc.log:
> UNKNOWN_SERVER: authtime 1222007068,  admin@KTEST.PHY for
> afs/atest.phy@KTEST.PHY, Server not found in Kerberos database
> it seems pretty obvious there was a difference between
> Principal "afs@KTEST.PHY"
> and
> afs/atest.phy@KTEST.PHY
> So the solution was to instead use afs/<cellname>


> root@vlad> kadmin.local -q "addprinc -randkey afs/atest.phy"
> Then aklog works. (Is there a different/better solution?)

There is nothing wrong with using afs/<cellname>.

> But then next step fs setacl doesn't:
> root@vlad> fs setacl /afs system:anyuser rl
> fs: You don't have the required access rights on '/afs'

1. did you create root.afs?
2. did you start the AFS client?
3. did you start it without -dynroot?
4. does your AFS KeyFile have the same key as your newly created AFS
   principal, with the same kvno?
5. did you remember to delete all enctypes other than DES on the
   afs/atest.phy principal? (Check the kvno afterwards: it may have changed.)
6. if you had started your servers -noauth for the initial setup, did you 
   remember to restart them without that option?
7. is your Kerberos principal listed in the cell's UserList?

> I've reproduced this on another test server, exactly.
> Can anyone clarify using afs in the kerberos commands vs afs/<cellname> ??
> RHEL debugging hints welcome!
> > I also see /usr/share/doc/openafs-dbserver/README.servers.gz and
> > /usr/share/doc/openafs-dbserver/configuration-transcript.txt.gz.
> These appear to be un-RHEL things - no such package openafs-docs for RHEL.

Correct. It should have been clear from the context that these are part
of the Debian packaging.

> Could you send them to me somehow?

Will mail them off-list.

> The posting & perl scripts listed on
>   http://lists.openafs.org/pipermail/openafs-info/2005-August/019061.html
> are somewhat useful, if they're not out of date.
> Very grateful thanks for all for hints+help.