[OpenAFS] Re: Nat & Ports Question

Andrew Deason adeason@sinenomine.net
Fri, 12 Feb 2010 16:52:53 -0600

On Fri, 12 Feb 2010 14:41:53 -0800 (PST)
J <skyliner306@yahoo.com> wrote:

> I'm running an OpenAFS 1.4.7 server on Debian Lenny 2.6.26.
> Everything is behind a cheap D-Link router, and I have no trouble
> connecting any of my clients (both Mac and PC) on the LAN.  So I
> started doing some testing from outside, and based on what I've read
> there are problems with NAT which will probably prevent me from
> having success.

It's more hassle and more likely to be buggy, but success is not

> My Windows client (first tried OpenAFS version 1.5.65
> then upgraded to 1.5.71) gets a Kerberos ticket and AFS token, but
> then chokes on resolving the name to id (error -1).  So I was
> wondering if someone could explain to a novice what's going on there.

Resolving the name to an id on the client is not mandatory for regular
plain access to work. I know aklog has a -noprdb flag to disable looking
up the id; if you're using aklog to gain tokens, that's one way to do

> Also, I see that I need port 88 open to authenticate, which on one
> hand makes sense since this is a Kerberos port.  But most of the
> documentation I've read about AFS says I only need ports open in the
> 7000 range (specifically 7001) for minimal file server access, so I
> was wondering if I'm missing something there. Thanks in advance for
> any help you can offer.  Let me know if more information is needed.

You need port 7002 for your dbservers for looking up a name to an id
(and for general user and group administration). You will also need 7003
to your dbservers for normal file access. You need 7005 if you want
volume administration stuff to work.

7000 is the port you need to reach on the fileserver, 7001 is the
typical port that clients need to receive packets on, though the
fileserver should be able to cope with a different port.

Andrew Deason