[OpenAFS] Trying OpenAFS, and missing
Kristofer Pettijohn
kristofer@cybernetik.net
Tue, 31 Dec 2013 20:31:55 -0600 (CST)
------=_Part_20358_1144358506.1388543515293
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Hello,
I am trying OpenAFS, but it does not seem to be working correctly with Kerberos.
I am attempting to install an OpenAFS server and client on the same machine (Ubuntu 13.10), using Samba4 as an AD controller with its built in Kerberos server. The server uses PowerBroker for authentication and kerberos.
The steps I followed and documented as I went (from the Quickstart guide for Linux) are listed below.
No matter what I do, I receive an error about an unknown key version number.
root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth
key 6 has cksum 1466094097
Keys last changed on Tue Dec 31 21:06:31 2013.
All done.
root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com
bos: ticket contained unknown key version number error encountered while listing keys
root@ueafs1:/etc#
The keytab appears to be fine, and shows the correct verision:
root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keytab
Keytab name: WRFILE:/etc/afs.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 afs/ad.domain.com@AD.DOMAIN.COM
What might I be missing? I've spent a solid 8 hours monkeying with this and making no progress.
Thanks in advance.
* Installation steps
# Download Powerbroker and install
wget http://download.beyondtrust.com/PBISO/7.5.3.1536/linux.deb.x64/pbis-open-7.5.3.1536.linux.x86_64.deb.sh
sh ./pbis-open-7.5.3.1536.linux.x86_64.deb.sh
# Join to domain
domainjoin-cli join --ou 'All Computers/Servers' AD.DOMAIN.COM username
/opt/pbis/bin/config UserDomainPrefix BRS
/opt/pbis/bin/config AssumeDefaultDomain true
/opt/pbis/bin/config HomeDirTemplate "%H/%U"
/opt/pbis/bin/config LoginShellTemplate /bin/bash
reboot
# Add OpenAFS repository
add-apt-repository ppa:openafs/stable
apt-get update
# Set up 2nd volume in LVM
apt-get install lvm2
# Set options to be Linux LVM
fdisk /dev/vxdf
pvcreate /dev/xvdf1
vgcreate vgafs /dev/xvdf1
lvcreate -l 6399 -n vicepa vgafs
mkdir /vicepa
echo "/dev/vgafs/vicepa /vicepa ext4 defaults 0 0" >> /etc/fstab
mount /vicepa
# Install OpenAFS packages
# Set cell name to match Kerberos Realm when prompted
apt-get install libpam-openafs-kaserver openafs-client openafs-dbserver openafs-fileserver openafs-krb5
# Stop OpenAFS processes and start BOS with -noauth
/etc/init.d/openafs-fileserver stop
/usr/sbin/bosserver -noauth
# Edit /etc/openafs/CellServDB and add realm and server
bos setcellname <servername> <cellname> -noauth
bos listhosts <servername> -noauth
# Ensure that proper IP address is in /etc/openafs/server/CellServDB, and not 127.0.0.1
bos create ueafs1.ad.domain.com buserver simple /usr/lib/openafs/buserver -noauth
bos create ueafs1.ad.domain.com ptserver simple /usr/lib/openafs/ptserver -noauth
bos create ueafs1.ad.domain.com vlserver simple /usr/lib/openafs/vlserver -noauth
# Create "afs" user in AD
samba-tool spn add afs/ad.domain.com afs
samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com
# Also tried from Windows using the following and copying the keytab:
ktpass -princ afs/ad.domain.com@AD.DOMAIN.COM -mapuser afs@AD.DOMAIN.COM -mapOp add -out keytab.afs +rndPass -ptype KRB5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC
# Copy /tmp/afs from Samba (or from Windows) to OpenAFS server in /etc/afs.keytab
/opt/pbis/bin/kinit Administrator@AD.DOMAIN.COM
/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com
asetkey add 6 /etc/afs.keytab afs/ad.domain.com
bos adduser ueafs1.ad.domain.com admin -noauth
bos adduser ueafs1.ad.domain.com kpettijohn -noauth
bos listkeys ueafs1.ad.domain.com -noauth
# Kill bos and restart
pkill bosserver
/usr/sbin/bosserver -noauth
# Initialize Protection Database
pts createuser -name admin -noauth
pts createuser -name kpettijohn -noauth
pts adduser admin system:administrators -noauth
pts adduser kpettijohn system:administrators -noauth
pts membership admin -noauth
bos restart ueafs1.ad.domain.com -all -noauth
# Start file server processes
bos create ueafs1.ad.domain.com fs fs /usr/lib/openafs/fileserver \
/usr/lib/openafs/volserver /usr/lib/openafs/salvager -noauth
bos status ueafs1.ad.domain.com fs -long -noauth
vos create ueafs1.ad.domain.com vicepa root.afs -noauth
# Update server
bos create ueafs1.ad.domain.com upserver simple "/usr/lib/openafs/upserver -crypt /etc/openafs" -noauth
# Restart BOS server using packages
pkill bosserver
/etc/init.d/openafs-fileserver start
------=_Part_20358_1144358506.1388543515293
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><body><div style=3D"font-family: arial,helvetica,sans-serif; font-siz=
e: 12pt; color: #000000"><div>Hello,<br></div><div><br></div><div>I am tryi=
ng OpenAFS, but it does not seem to be working correctly with Kerberos.<br>=
</div><div><br>I am attempting to install an OpenAFS server and client on t=
he same machine (Ubuntu 13.10), using Samba4 as an AD controller with its b=
uilt in Kerberos server. The server uses PowerBroker for authenticati=
on and kerberos.<br></div><div><br></div><div>The steps I followed and docu=
mented as I went (from the Quickstart guide for Linux) are listed below.<br=
></div><div><br></div><div>No matter what I do, I receive an error about an=
unknown key version number.<br></div><div><br></div><div style=3D"padding-=
left: 30px;">root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth=
<br>key 6 has cksum 1466094097<br>Keys last changed on Tue Dec 31 21:06:31 =
2013.<br>All done.<br>root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com<b=
r>bos: ticket contained unknown key version number error encountered while =
listing keys<br>root@ueafs1:/etc# <br><br></div><div>The keytab appears to =
be fine, and shows the correct verision:</div><div><br></div><div style=3D"=
padding-left: 30px;">root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keyt=
ab <br>Keytab name: WRFILE:/etc/afs.keytab<br>KVNO Principal<br>---- ------=
--------------------------------------------------------------------<br>&nb=
sp; 6 afs/ad.domain.com@AD.DOMAIN.COM</div><div><br></div><div><br></=
div><div>What might I be missing? I've spent a solid 8 hours monkeyin=
g with this and making no progress.<br></div><div><br></div><div>Thanks in =
advance.<br></div><div><br></div><div><br></div><div><br></div><div>* Insta=
llation steps<br></div><div><br></div><div style=3D"padding-left: 30px;"># =
Download Powerbroker and install<br><br>wget http://download.beyondtrust.co=
m/PBISO/7.5.3.1536/linux.deb.x64/pbis-open-7.5.3.1536.linux.x86_64.deb.sh<b=
r>sh ./pbis-open-7.5.3.1536.linux.x86_64.deb.sh <br><br># Join to domain<br=
><br>domainjoin-cli join --ou 'All Computers/Servers' AD.DOMAIN.COM usernam=
e<br>/opt/pbis/bin/config UserDomainPrefix BRS<br>/opt/pbis/bin/config Assu=
meDefaultDomain true<br>/opt/pbis/bin/config HomeDirTemplate "%H/%U"<br>/op=
t/pbis/bin/config LoginShellTemplate /bin/bash<br>reboot<br><br># Add OpenA=
FS repository<br><br>add-apt-repository ppa:openafs/stable<br>apt-get updat=
e<br><br># Set up 2nd volume in LVM<br><br>apt-get install lvm2<br><br># Se=
t options to be Linux LVM<br>fdisk /dev/vxdf<br><br>pvcreate /dev/xvdf1<br>=
vgcreate vgafs /dev/xvdf1<br>lvcreate -l 6399 -n vicepa vgafs<br>mkdir /vic=
epa<br>echo "/dev/vgafs/vicepa /vicepa ext4 defaults 0 0" >> /etc/fst=
ab<br>mount /vicepa<br><br># Install OpenAFS packages<br># Set cell name to=
match Kerberos Realm when prompted<br>apt-get install libpam-openafs-kaser=
ver openafs-client openafs-dbserver openafs-fileserver openafs-krb5<br><br>=
# Stop OpenAFS processes and start BOS with -noauth<br>/etc/init.d/openafs-=
fileserver stop<br>/usr/sbin/bosserver -noauth<br><br></div><div style=3D"p=
adding-left: 30px;"># Edit /etc/openafs/CellServDB and add realm and server=
<br><br>bos setcellname <servername> <cellname> -noauth<br>bos =
listhosts <servername> -noauth<br><br># Ensure that proper IP address=
is in /etc/openafs/server/CellServDB, and not 127.0.0.1<br><br>bos create =
ueafs1.ad.domain.com buserver simple /usr/lib/openafs/buserver -noauth<br>b=
os create ueafs1.ad.domain.com ptserver simple /usr/lib/openafs/ptserver -n=
oauth<br>bos create ueafs1.ad.domain.com vlserver simple /usr/lib/openafs/v=
lserver -noauth<br><br># Create "afs" user in AD<br><br>samba-tool spn add =
afs/ad.domain.com afs <br>samba-tool domain exportkeytab /tmp/afs --princip=
al=3Dafs/ad.domain.com</div><div style=3D"padding-left: 30px;"><br></div><d=
iv style=3D"padding-left: 30px;"># Also tried from Windows using the follow=
ing and copying the keytab:</div><div style=3D"padding-left: 30px;">ktpass =
-princ afs/ad.domain.com@AD.DOMAIN.COM -mapuser <a href=3D"mailto:afs@AD.DO=
MAIN.COM">afs@AD.DOMAIN.COM</a> -mapOp add -out keytab.afs +rndPass -ptype =
KRB5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC<br><br># Copy /tmp/afs from=
Samba (or from Windows) to OpenAFS server in /etc/afs.keytab<br><br>/opt/p=
bis/bin/kinit Administrator@AD.DOMAIN.COM<br>/opt/pbis/bin/kvno -k /etc/afs=
.keytab afs/ad.domain.com<br>asetkey add 6 /etc/afs.keytab afs/ad.domain.co=
m<br>bos adduser ueafs1.ad.domain.com admin -noauth<br>bos adduser ueafs1.a=
d.domain.com kpettijohn -noauth<br>bos listkeys ueafs1.ad.domain.com -noaut=
h<br><br># Kill bos and restart<br><br>pkill bosserver<br>/usr/sbin/bosserv=
er -noauth<br><br># Initialize Protection Database<br><br>pts createuser -n=
ame admin -noauth<br>pts createuser -name kpettijohn -noauth<br>pts adduser=
admin system:administrators -noauth<br>pts adduser kpettijohn system:admin=
istrators -noauth<br>pts membership admin -noauth<br>bos restart ueafs1.ad.=
domain.com -all -noauth<br><br></div><div style=3D"padding-left: 30px;"># S=
tart file server processes<br><br>bos create ueafs1.ad.domain.com fs fs /us=
r/lib/openafs/fileserver \<br> /usr/lib/openafs/volserver=
/usr/lib/openafs/salvager -noauth<br>bos status ueafs1.ad.domain.com fs -l=
ong -noauth<br><br>vos create ueafs1.ad.domain.com vicepa root.afs -noauth<=
br><br># Update server<br><br>bos create ueafs1.ad.domain.com upserver simp=
le "/usr/lib/openafs/upserver -crypt /etc/openafs" -noauth<br><br># Restart=
BOS server using packages<br><br>pkill bosserver<br>/etc/init.d/openafs-fi=
leserver start<br><br></div></div></body></html>
------=_Part_20358_1144358506.1388543515293--