[OpenAFS] Principal afs@A.COM vs. afs/a.com@A.COM ?

Alexander Lazarević alexander@lazarevic.de
Tue, 31 Jan 2012 12:55:57 +0100 

--14dae9d717c68e61c204b7d1a67d
Content-Type: text/plain; charset=UTF-8

Hi!

I have a rather small and simple setup (based on the description in [1])
with two ubuntu file servers and a couple of clients. Because of the small
setup I used to move configuration files around. Now I got scared by the
message that 1.6.0 fileservers were unsafe to use [2] and upgraded the
openafs installation on the ubuntu boxes to 1.6.1~pre1-1. This now works as
good as before, but I think I'm seeing some timeouts especially using a
1.7.x windows client. But I still have to figure out if this is just a
misconfiguration or a real problem.

Because while upgrading I added SRV entries for kerberos and openafs to my
nameserver. Kerberos authentication just worked out of the box. As you
might have guessed by now, getting access to afs wasn't working that easily.

smith@ubuntuclient:~$ aklog

aklog: Couldn't get mydomain.com AFS tickets:
aklog: unknown RPC error (-1765328377) while getting AFS tickets

smith@ubuntuclient:~$ aklog -d

Authenticating to cell mydomain.com (server afsdb.home.mydomain.com).
Trying to authenticate to user's realm MYDOMAIN.COM.
Getting tickets: afs/mydomain.com@MYDOMAIN.COM
We've deduced that we need to authenticate using referrals.
Getting tickets: afs/mydomain.com@
We've deduced that we need to authenticate to realm HOME.MYDOMAIN.COM.
Getting tickets: afs/mydomain.com@HOME.MYDOMAIN.COM
Kerberos error code returned by get_cred : -1765328377
aklog: Couldn't get mydomain.com AFS tickets:
aklog: unknown RPC error (-1765328377) while getting AFS tickets

smith@ubuntuclient:~$ aklog -d mydomain.com -k MYDOMAIN.COM

Authenticating to cell mydomain.com (server afsdb.home.mydomain.com).
We were told to authenticate to realm MYDOMAIN.COM.
Getting tickets: afs/mydomain.com@MYDOMAIN.COM
Getting tickets: afs/mydomain.com@MYDOMAIN.COM
Getting tickets: afs@MYDOMAIN.COM
Using Kerberos V5 ticket natively
About to resolve name smith to id in cell mydomain.com.
Id 20000
Set username to AFS ID 20000
Setting tokens. AFS ID 20000 @ mydomain.com

The principal I used until now was afs@MYDOMAIN.COM . Do I need to create a
new principal afs/mydomain.com@MYDOMAIN.COM and make afs use this one, to
make the above work with just using aklog? Should I change user principals
as well?

Thanks,
 Alex

[1]
http://www.debian-administration.org/article/610/OpenAFS_installation_on_Debian
[2]
http://old.nabble.com/Re%3A-Timeouts-and-odd-behavior-with-1.6.0-file-servers-p33204316.html

--14dae9d717c68e61c204b7d1a67d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi!<br><br>I have a rather small and simple setup (based on the description=
 in [1]) with two ubuntu file servers and a couple of clients. Because of t=
he small setup I used to move configuration files around. Now I got scared =
by the message that 1.6.0 fileservers were unsafe to use [2] and upgraded t=
he openafs installation on the ubuntu boxes to 1.6.1~pre1-1. This now works=
 as good as before, but I think I&#39;m seeing some timeouts especially usi=
ng a 1.7.x windows client. But I still have to figure out if this is just a=
 misconfiguration or a real problem.<br>

<br>Because while upgrading I added SRV entries for kerberos and openafs to=
 my nameserver. Kerberos authentication just worked out of the box. As you =
might have guessed by now, getting access to afs wasn&#39;t working that ea=
sily.<br>


<br><span style=3D"font-family:courier new,monospace">smith@ubuntuclient:~$=
 aklog<br><br>aklog: Couldn&#39;t get <a href=3D"http://mydomain.com">mydom=
ain.com</a> AFS tickets:<br>aklog: unknown RPC error (-1765328377) while ge=
tting AFS tickets<br>

<br>smith@ubuntuclient:~$ aklog -d<br><br>Authenticating to cell <a href=3D=
"http://mydomain.com">mydomain.com</a> (server <a href=3D"http://afsdb.home=
.mydomain.com">afsdb.home.mydomain.com</a>).<br>Trying to authenticate to u=
ser&#39;s realm <a href=3D"http://MYDOMAIN.COM">MYDOMAIN.COM</a>.<br>

Getting tickets: afs/<a href=3D"mailto:mydomain.com@MYDOMAIN.COM">mydomain.=
com@MYDOMAIN.COM</a><br>We&#39;ve deduced that we need to authenticate usin=
g referrals.<br>Getting tickets: afs/mydomain.com@<br>We&#39;ve deduced tha=
t we need to authenticate to realm <a href=3D"http://HOME.MYDOMAIN.COM">HOM=
E.MYDOMAIN.COM</a>.<br>

Getting tickets: afs/<a href=3D"mailto:mydomain.com@HOME.MYDOMAIN.COM">mydo=
main.com@HOME.MYDOMAIN.COM</a><br>Kerberos error code returned by get_cred =
: -1765328377<br>aklog: Couldn&#39;t get <a href=3D"http://mydomain.com">my=
domain.com</a> AFS tickets:<br>

aklog: unknown RPC error (-1765328377) while getting AFS tickets<br><br>smi=
th@ubuntuclient:~$ aklog -d <a href=3D"http://mydomain.com">mydomain.com</a=
> -k <a href=3D"http://MYDOMAIN.COM">MYDOMAIN.COM</a><br><br>Authenticating=
 to cell <a href=3D"http://mydomain.com">mydomain.com</a> (server <a href=
=3D"http://afsdb.home.mydomain.com">afsdb.home.mydomain.com</a>).<br>

We were told to authenticate to realm <a href=3D"http://MYDOMAIN.COM">MYDOM=
AIN.COM</a>.<br>Getting tickets: afs/<a href=3D"mailto:mydomain.com@MYDOMAI=
N.COM">mydomain.com@MYDOMAIN.COM</a><br>Getting tickets: afs/<a href=3D"mai=
lto:mydomain.com@MYDOMAIN.COM">mydomain.com@MYDOMAIN.COM</a><br>

Getting tickets: <a href=3D"mailto:afs@MYDOMAIN.COM">afs@MYDOMAIN.COM</a><b=
r>Using Kerberos V5 ticket natively<br>About to resolve name smith to id in=
 cell <a href=3D"http://mydomain.com">mydomain.com</a>.<br>Id 20000<br>Set =
username to AFS ID 20000<br>

Setting tokens. AFS ID 20000 @ <a href=3D"http://mydomain.com">mydomain.com=
</a> <br></span><br>The principal I used until now was <a href=3D"mailto:af=
s@MYDOMAIN.COM">afs@MYDOMAIN.COM</a> . Do I need to create a new principal =
afs/<a href=3D"mailto:mydomain.com@MYDOMAIN.COM">mydomain.com@MYDOMAIN.COM<=
/a> and make afs use this one, to make the above work with just using aklog=
? Should I change user principals as well?<br>

<br>Thanks,<br>=C2=A0Alex<br>=C2=A0<br>[1] <a href=3D"http://www.debian-adm=
inistration.org/article/610/OpenAFS_installation_on_Debian" target=3D"_blan=
k">http://www.debian-administration.org/article/610/OpenAFS_installation_on=
_Debian</a><br>

[2] <a href=3D"http://old.nabble.com/Re%3A-Timeouts-and-odd-behavior-with-1=
.6.0-file-servers-p33204316.html" target=3D"_blank">http://old.nabble.com/R=
e%3A-Timeouts-and-odd-behavior-with-1.6.0-file-servers-p33204316.html</a><b=
r>


<br>

--14dae9d717c68e61c204b7d1a67d--