[OpenAFS] Principal afs@A.COM vs. afs/a.com@A.COM ?

Jeffrey Altman jaltman@your-file-system.com
Tue, 31 Jan 2012 09:17:33 -0500 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF0B5180B4DE9DBE78DEAD635
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

You want to use the afs/cell@REALM service principal form for the AFS
service principal.   As the Windows aklog is informing you, given the
local Kerberos configuration and the version of Kerberos installed,
aklog must use Kerberos referrals to request the AFS service ticket.
What this means to you is that the Kerberos library configuration is
unable to determine the Kerberos realm that is associated with the AFS
cell.  Therefore, it must rely upon the Kerberos KDC of the client
principal to know the answer.

Why did you choose to create afs@REALM instead of afs/cell@REALM?

If it is because of documentation you read on openafs.org, please point
us to it so that the documentation can be corrected.

No one should be creating new cells using the afs@REALM service
principal names.

There is nothing that needs to be done to your client principals.

Jeffrey Altman


On 1/31/2012 6:55 AM, Alexander Lazarevi=C4=87 wrote:
> Hi!
>=20
> I have a rather small and simple setup (based on the description in [1]=
)
> with two ubuntu file servers and a couple of clients. Because of the
> small setup I used to move configuration files around. Now I got scared=

> by the message that 1.6.0 fileservers were unsafe to use [2] and
> upgraded the openafs installation on the ubuntu boxes to 1.6.1~pre1-1.
> This now works as good as before, but I think I'm seeing some timeouts
> especially using a 1.7.x windows client. But I still have to figure out=

> if this is just a misconfiguration or a real problem.
>=20
> Because while upgrading I added SRV entries for kerberos and openafs to=

> my nameserver. Kerberos authentication just worked out of the box. As
> you might have guessed by now, getting access to afs wasn't working tha=
t
> easily.
>=20
> smith@ubuntuclient:~$ aklog
>=20
> aklog: Couldn't get mydomain.com <http://mydomain.com> AFS tickets:
> aklog: unknown RPC error (-1765328377) while getting AFS tickets
>=20
> smith@ubuntuclient:~$ aklog -d
>=20
> Authenticating to cell mydomain.com <http://mydomain.com> (server
> afsdb.home.mydomain.com <http://afsdb.home.mydomain.com>).
> Trying to authenticate to user's realm MYDOMAIN.COM <http://MYDOMAIN.CO=
M>.
> Getting tickets: afs/mydomain.com@MYDOMAIN.COM
> <mailto:mydomain.com@MYDOMAIN.COM>
> We've deduced that we need to authenticate using referrals.
> Getting tickets: afs/mydomain.com@
> We've deduced that we need to authenticate to realm HOME.MYDOMAIN.COM
> <http://HOME.MYDOMAIN.COM>.
> Getting tickets: afs/mydomain.com@HOME.MYDOMAIN.COM
> <mailto:mydomain.com@HOME.MYDOMAIN.COM>
> Kerberos error code returned by get_cred : -1765328377
> aklog: Couldn't get mydomain.com <http://mydomain.com> AFS tickets:
> aklog: unknown RPC error (-1765328377) while getting AFS tickets
>=20
> smith@ubuntuclient:~$ aklog -d mydomain.com <http://mydomain.com> -k
> MYDOMAIN.COM <http://MYDOMAIN.COM>
>=20
> Authenticating to cell mydomain.com <http://mydomain.com> (server
> afsdb.home.mydomain.com <http://afsdb.home.mydomain.com>).
> We were told to authenticate to realm MYDOMAIN.COM <http://MYDOMAIN.COM=
>.
> Getting tickets: afs/mydomain.com@MYDOMAIN.COM
> <mailto:mydomain.com@MYDOMAIN.COM>
> Getting tickets: afs/mydomain.com@MYDOMAIN.COM
> <mailto:mydomain.com@MYDOMAIN.COM>
> Getting tickets: afs@MYDOMAIN.COM <mailto:afs@MYDOMAIN.COM>
> Using Kerberos V5 ticket natively
> About to resolve name smith to id in cell mydomain.com
> <http://mydomain.com>.
> Id 20000
> Set username to AFS ID 20000
> Setting tokens. AFS ID 20000 @ mydomain.com <http://mydomain.com>
>=20
> The principal I used until now was afs@MYDOMAIN.COM
> <mailto:afs@MYDOMAIN.COM> . Do I need to create a new principal
> afs/mydomain.com@MYDOMAIN.COM <mailto:mydomain.com@MYDOMAIN.COM> and
> make afs use this one, to make the above work with just using aklog?
> Should I change user principals as well?
>=20
> Thanks,
>  Alex
> =20
> [1]
> http://www.debian-administration.org/article/610/OpenAFS_installation_o=
n_Debian
> [2]
> http://old.nabble.com/Re%3A-Timeouts-and-odd-behavior-with-1.6.0-file-s=
ervers-p33204316.html
>=20


--------------enigF0B5180B4DE9DBE78DEAD635
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPJ/gCAAoJENxm1CNJffh4wWEH/2oRYc0On2WjS05sXvag/BGM
mIeBTUtLoVjQXIf3yo+LxOfDOGLRo5EiMjpWfo2/qxpNg99UZGVZbk75CGtjgmFH
38kW0jrB+15aXBIKo/lAzkFMqPJfQ2g25scwG0syXN8PJwXmifM+vOYXk8NrcAW2
ZxWd+DTVvpQzCjP5EEzZN1WOUhUKAHskBQN9Tae8fwGyKwtL4aUU+l22RXS0ecZb
tmsp1YdrmO+duRaJ7+y6IaWCWm+C9O4fNGeKEDusjbMbRb41H++7v3613sA1I9H1
cl/Fj7kk69DOk3YTUv/gT9BxdcqxeHze5jn786QrZtnqnaOmjofmu8l9axiOezs=
=VGoN
-----END PGP SIGNATURE-----

--------------enigF0B5180B4DE9DBE78DEAD635--