Fwd: [OpenAFS] Principal afs@A.COM vs. afs/a.com@A.COM ?

Derrick Brashear shadow@gmail.com
Tue, 31 Jan 2012 23:12:38 -0500 

Alexander got this 16 hours ago, but you list subscribers did not due
to an issue with the list server. Here is it for posterity.


---------- Forwarded message ----------
From: Derrick Brashear <shadow@gmail.com>
Date: Tue, Jan 31, 2012 at 7:44 AM
Subject: Re: [OpenAFS] Principal afs@A.COM vs. afs/a.com@A.COM ?
To: Alexander Lazarevi=E3 <alexander@lazarevic.de>
Cc: openafs-info@openafs.org


If you do decide to change principal names (and afs/cell@ is
recommaned) know that you just need to rename the principal in your
KDC.
The key will stay the same, and the AFS KeyFile doesn't care about the
principal name, only the key itself... which won't have changed.

That it works this way is an accident of the structuring of the
principal finding code in aklog; you can avoid changing the name if
you don't
want to based on what's in the host to realm mappings in your krb5.conf.
But given you can't control the krb5.confs on every machine, nor their
aklogs, it's probably best to just change the principal name.

On Tue, Jan 31, 2012 at 6:55 AM, Alexander Lazarevi=E3
<alexander@lazarevic.de> wrote:
> Hi!
>
> I have a rather small and simple setup (based on the description in [1])
> with two ubuntu file servers and a couple of clients. Because of the smal=
l
> setup I used to move configuration files around. Now I got scared by the
> message that 1.6.0 fileservers were unsafe to use [2] and upgraded the
> openafs installation on the ubuntu boxes to 1.6.1~pre1-1. This now works =
as
> good as before, but I think I'm seeing some timeouts especially using a
> 1.7.x windows client. But I still have to figure out if this is just a
> misconfiguration or a real problem.
>
> Because while upgrading I added SRV entries for kerberos and openafs to m=
y
> nameserver. Kerberos authentication just worked out of the box. As you mi=
ght
> have guessed by now, getting access to afs wasn't working that easily.
>
> smith@ubuntuclient:~$ aklog
>
> aklog: Couldn't get mydomain.com AFS tickets:
> aklog: unknown RPC error (-1765328377) while getting AFS tickets
>
> smith@ubuntuclient:~$ aklog -d
>
> Authenticating to cell mydomain.com (server afsdb.home.mydomain.com).
> Trying to authenticate to user's realm MYDOMAIN.COM.
> Getting tickets: afs/mydomain.com@MYDOMAIN.COM
> We've deduced that we need to authenticate using referrals.
> Getting tickets: afs/mydomain.com@
> We've deduced that we need to authenticate to realm HOME.MYDOMAIN.COM.
> Getting tickets: afs/mydomain.com@HOME.MYDOMAIN.COM
> Kerberos error code returned by get_cred : -1765328377
> aklog: Couldn't get mydomain.com AFS tickets:
> aklog: unknown RPC error (-1765328377) while getting AFS tickets
>
> smith@ubuntuclient:~$ aklog -d mydomain.com -k MYDOMAIN.COM
>
> Authenticating to cell mydomain.com (server afsdb.home.mydomain.com).
> We were told to authenticate to realm MYDOMAIN.COM.
> Getting tickets: afs/mydomain.com@MYDOMAIN.COM
> Getting tickets: afs/mydomain.com@MYDOMAIN.COM
> Getting tickets: afs@MYDOMAIN.COM
> Using Kerberos V5 ticket natively
> About to resolve name smith to id in cell mydomain.com.
> Id 20000
> Set username to AFS ID 20000
> Setting tokens. AFS ID 20000 @ mydomain.com
>
> The principal I used until now was afs@MYDOMAIN.COM . Do I need to create=
 a
> new principal afs/mydomain.com@MYDOMAIN.COM and make afs use this one, to
> make the above work with just using aklog? Should I change user principal=
s
> as well?
>
> Thanks,
> =A0Alex
>
> [1]
> http://www.debian-administration.org/article/610/OpenAFS_installation_on_=
Debian
> [2]
> http://old.nabble.com/Re%3A-Timeouts-and-odd-behavior-with-1.6.0-file-ser=
vers-p33204316.html
>



--
Derrick


--=20
Derrick