[OpenAFS] Trying OpenAFS, and missing
Kristofer Pettijohn
kristofer@cybernetik.net
Tue, 31 Dec 2013 23:32:47 -0600 (CST)
------=_Part_20903_918185986.1388554367074
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
When I use aklog, it appears to get the ticket and token successfully:
kpettijohn@ueafs1:~$ aklog -d
Authenticating to cell ad.domain.com (server ueafs1.ad.domain.com).
Trying to authenticate to user's realm AD.DOMAIN.COM.
Getting tickets: afs/ad.domain.com@AD.DOMAIN.COM
Using Kerberos V5 ticket natively
About to resolve name kpettijohn to id in cell ad.domain.com.
Id 2
Set username to AFS ID 2
Setting tokens. AFS ID 2 @ ad.domain.com
kpettijohn@ueafs1:~$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 2) tokens for afs@ad.domain.com [Expires Jan 1 10:28]
--End of list--
kpettijohn@ueafs1:~$
However, when I run a "vos listvol" after that, I receive the "unknown key version number" and am still at a loss. If anyone could help point me at what I might be missing, I would greatly appreciate it.
kpettijohn@ueafs1:~$ vos listvol ueafs1.ad.domain.com
Could not fetch the list of partitions from the server
rxk: ticket contained unknown key version number
Error in vos listvol command.
rxk: ticket contained unknown key version number
kpettijohn@ueafs1:~$
----- Original Message -----
From: "Kristofer Pettijohn" <kristofer@cybernetik.net>
To: openafs-info@openafs.org
Sent: Tuesday, December 31, 2013 8:31:55 PM
Subject: [OpenAFS] Trying OpenAFS, and missing
Hello,
I am trying OpenAFS, but it does not seem to be working correctly with Kerberos.
I am attempting to install an OpenAFS server and client on the same machine (Ubuntu 13.10), using Samba4 as an AD controller with its built in Kerberos server. The server uses PowerBroker for authentication and kerberos.
The steps I followed and documented as I went (from the Quickstart guide for Linux) are listed below.
No matter what I do, I receive an error about an unknown key version number.
root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth
key 6 has cksum 1466094097
Keys last changed on Tue Dec 31 21:06:31 2013.
All done.
root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com
bos: ticket contained unknown key version number error encountered while listing keys
root@ueafs1:/etc#
The keytab appears to be fine, and shows the correct verision:
root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keytab
Keytab name: WRFILE:/etc/afs.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 afs/ad.domain.com@AD.DOMAIN.COM
What might I be missing? I've spent a solid 8 hours monkeying with this and making no progress.
Thanks in advance.
* Installation steps
# Download Powerbroker and install
wget http://download.beyondtrust.com/PBISO/7.5.3.1536/linux.deb.x64/pbis-open-7.5.3.1536.linux.x86_64.deb.sh
sh ./pbis-open-7.5.3.1536.linux.x86_64.deb.sh
# Join to domain
domainjoin-cli join --ou 'All Computers/Servers' AD.DOMAIN.COM username
/opt/pbis/bin/config UserDomainPrefix BRS
/opt/pbis/bin/config AssumeDefaultDomain true
/opt/pbis/bin/config HomeDirTemplate "%H/%U"
/opt/pbis/bin/config LoginShellTemplate /bin/bash
reboot
# Add OpenAFS repository
add-apt-repository ppa:openafs/stable
apt-get update
# Set up 2nd volume in LVM
apt-get install lvm2
# Set options to be Linux LVM
fdisk /dev/vxdf
pvcreate /dev/xvdf1
vgcreate vgafs /dev/xvdf1
lvcreate -l 6399 -n vicepa vgafs
mkdir /vicepa
echo "/dev/vgafs/vicepa /vicepa ext4 defaults 0 0" >> /etc/fstab
mount /vicepa
# Install OpenAFS packages
# Set cell name to match Kerberos Realm when prompted
apt-get install libpam-openafs-kaserver openafs-client openafs-dbserver openafs-fileserver openafs-krb5
# Stop OpenAFS processes and start BOS with -noauth
/etc/init.d/openafs-fileserver stop
/usr/sbin/bosserver -noauth
# Edit /etc/openafs/CellServDB and add realm and server
bos setcellname <servername> <cellname> -noauth
bos listhosts <servername> -noauth
# Ensure that proper IP address is in /etc/openafs/server/CellServDB, and not 127.0.0.1
bos create ueafs1.ad.domain.com buserver simple /usr/lib/openafs/buserver -noauth
bos create ueafs1.ad.domain.com ptserver simple /usr/lib/openafs/ptserver -noauth
bos create ueafs1.ad.domain.com vlserver simple /usr/lib/openafs/vlserver -noauth
# Create "afs" user in AD
samba-tool spn add afs/ad.domain.com afs
samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com
# Also tried from Windows using the following and copying the keytab:
ktpass -princ afs/ad.domain.com@AD.DOMAIN.COM -mapuser afs@AD.DOMAIN.COM -mapOp add -out keytab.afs +rndPass -ptype KRB5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC
# Copy /tmp/afs from Samba (or from Windows) to OpenAFS server in /etc/afs.keytab
/opt/pbis/bin/kinit Administrator@AD.DOMAIN.COM
/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com
asetkey add 6 /etc/afs.keytab afs/ad.domain.com
bos adduser ueafs1.ad.domain.com admin -noauth
bos adduser ueafs1.ad.domain.com kpettijohn -noauth
bos listkeys ueafs1.ad.domain.com -noauth
# Kill bos and restart
pkill bosserver
/usr/sbin/bosserver -noauth
# Initialize Protection Database
pts createuser -name admin -noauth
pts createuser -name kpettijohn -noauth
pts adduser admin system:administrators -noauth
pts adduser kpettijohn system:administrators -noauth
pts membership admin -noauth
bos restart ueafs1.ad.domain.com -all -noauth
# Start file server processes
bos create ueafs1.ad.domain.com fs fs /usr/lib/openafs/fileserver \
/usr/lib/openafs/volserver /usr/lib/openafs/salvager -noauth
bos status ueafs1.ad.domain.com fs -long -noauth
vos create ueafs1.ad.domain.com vicepa root.afs -noauth
# Update server
bos create ueafs1.ad.domain.com upserver simple "/usr/lib/openafs/upserver -crypt /etc/openafs" -noauth
# Restart BOS server using packages
pkill bosserver
/etc/init.d/openafs-fileserver start
------=_Part_20903_918185986.1388554367074
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><body><div style=3D"font-family: arial,helvetica,sans-serif; font-siz=
e: 12pt; color: #000000"><div>When I use aklog, it appears to get the ticke=
t and token successfully:<br></div><div><br></div><div style=3D"padding-lef=
t: 30px;">kpettijohn@ueafs1:~$ aklog -d<br>Authenticating to cell ad.domain=
.com (server ueafs1.ad.domain.com).<br>Trying to authenticate to user's rea=
lm AD.DOMAIN.COM.<br>Getting tickets: afs/ad.domain.com@AD.DOMAIN.COM<br>Us=
ing Kerberos V5 ticket natively<br>About to resolve name kpettijohn to id i=
n cell ad.domain.com.<br>Id 2<br>Set username to AFS ID 2<br>Setting tokens=
. AFS ID 2 @ ad.domain.com <br>kpettijohn@ueafs1:~$ tokens<br><br>Tokens he=
ld by the Cache Manager:<br><br>User's (AFS ID 2) tokens for afs@ad.domain.=
com [Expires Jan 1 10:28]<br> --End of list--<br>kpettijo=
hn@ueafs1:~$ </div><div style=3D"padding-left: 30px;"><br></div><div>Howeve=
r, when I run a "vos listvol" after that, I receive the "unknown key versio=
n number" and am still at a loss. If anyone could help point me at wh=
at I might be missing, I would greatly appreciate it.<br></div><div><br></d=
iv><div style=3D"padding-left: 30px;">kpettijohn@ueafs1:~$ vos listvol ueaf=
s1.ad.domain.com<br>Could not fetch the list of partitions from the server<=
br>rxk: ticket contained unknown key version number<br>Error in vos listvol=
command.<br>rxk: ticket contained unknown key version number<br>kpettijohn=
@ueafs1:~$ </div><div style=3D"padding-left: 30px;"><br></div><div><br></di=
v><hr id=3D"zwchr"><div style=3D"color:#000;font-weight:normal;font-style:n=
ormal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size=
:12pt;"><b>From: </b>"Kristofer Pettijohn" <kristofer@cybernetik.net>=
<br><b>To: </b>openafs-info@openafs.org<br><b>Sent: </b>Tuesday, December 3=
1, 2013 8:31:55 PM<br><b>Subject: </b>[OpenAFS] Trying OpenAFS, and missing=
<br><div><br></div><div style=3D"font-family: arial,helvetica,sans-serif; f=
ont-size: 12pt; color: #000000"><div>Hello,<br></div><div><br></div><div>I =
am trying OpenAFS, but it does not seem to be working correctly with Kerber=
os.<br></div><div><br>I am attempting to install an OpenAFS server and clie=
nt on the same machine (Ubuntu 13.10), using Samba4 as an AD controller wit=
h its built in Kerberos server. The server uses PowerBroker for authe=
ntication and kerberos.<br></div><div><br></div><div>The steps I followed a=
nd documented as I went (from the Quickstart guide for Linux) are listed be=
low.<br></div><div><br></div><div>No matter what I do, I receive an error a=
bout an unknown key version number.<br></div><div><br></div><div style=3D"p=
adding-left: 30px;">root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -lo=
calauth<br>key 6 has cksum 1466094097<br>Keys last changed on Tue Dec 31 21=
:06:31 2013.<br>All done.<br>root@ueafs1:/etc# bos listkeys ueafs1.ad.domai=
n.com<br>bos: ticket contained unknown key version number error encountered=
while listing keys<br>root@ueafs1:/etc# <br><div><br></div></div><div>The =
keytab appears to be fine, and shows the correct verision:</div><div><br></=
div><div style=3D"padding-left: 30px;">root@ueafs1:/etc# /opt/pbis/bin/klis=
t -k /etc/afs.keytab <br>Keytab name: WRFILE:/etc/afs.keytab<br>KVNO Princi=
pal<br>---- ---------------------------------------------------------------=
-----------<br> 6 afs/ad.domain.com@AD.DOMAIN.COM</div><div><br=
></div><div><br></div><div>What might I be missing? I've spent a soli=
d 8 hours monkeying with this and making no progress.<br></div><div><br></d=
iv><div>Thanks in advance.<br></div><div><br></div><div><br></div><div><br>=
</div><div>* Installation steps<br></div><div><br></div><div style=3D"paddi=
ng-left: 30px;"># Download Powerbroker and install<br><div><br></div>wget h=
ttp://download.beyondtrust.com/PBISO/7.5.3.1536/linux.deb.x64/pbis-open-7.5=
.3.1536.linux.x86_64.deb.sh<br>sh ./pbis-open-7.5.3.1536.linux.x86_64.deb.s=
h <br><div><br></div># Join to domain<br><div><br></div>domainjoin-cli join=
--ou 'All Computers/Servers' AD.DOMAIN.COM username<br>/opt/pbis/bin/confi=
g UserDomainPrefix BRS<br>/opt/pbis/bin/config AssumeDefaultDomain true<br>=
/opt/pbis/bin/config HomeDirTemplate "%H/%U"<br>/opt/pbis/bin/config LoginS=
hellTemplate /bin/bash<br>reboot<br><div><br></div># Add OpenAFS repository=
<br><div><br></div>add-apt-repository ppa:openafs/stable<br>apt-get update<=
br><div><br></div># Set up 2nd volume in LVM<br><div><br></div>apt-get inst=
all lvm2<br><div><br></div># Set options to be Linux LVM<br>fdisk /dev/vxdf=
<br><div><br></div>pvcreate /dev/xvdf1<br>vgcreate vgafs /dev/xvdf1<br>lvcr=
eate -l 6399 -n vicepa vgafs<br>mkdir /vicepa<br>echo "/dev/vgafs/vicepa /v=
icepa ext4 defaults 0 0" >> /etc/fstab<br>mount /vicepa<br><div><br><=
/div># Install OpenAFS packages<br># Set cell name to match Kerberos Realm =
when prompted<br>apt-get install libpam-openafs-kaserver openafs-client ope=
nafs-dbserver openafs-fileserver openafs-krb5<br><div><br></div># Stop Open=
AFS processes and start BOS with -noauth<br>/etc/init.d/openafs-fileserver =
stop<br>/usr/sbin/bosserver -noauth<br><div><br></div></div><div style=3D"p=
adding-left: 30px;"># Edit /etc/openafs/CellServDB and add realm and server=
<br><div><br></div>bos setcellname <servername> <cellname> -noa=
uth<br>bos listhosts <servername> -noauth<br><div><br></div># Ensure =
that proper IP address is in /etc/openafs/server/CellServDB, and not 127.0.=
0.1<br><div><br></div>bos create ueafs1.ad.domain.com buserver simple /usr/=
lib/openafs/buserver -noauth<br>bos create ueafs1.ad.domain.com ptserver si=
mple /usr/lib/openafs/ptserver -noauth<br>bos create ueafs1.ad.domain.com v=
lserver simple /usr/lib/openafs/vlserver -noauth<br><div><br></div># Create=
"afs" user in AD<br><div><br></div>samba-tool spn add afs/ad.domain.com af=
s <br>samba-tool domain exportkeytab /tmp/afs --principal=3Dafs/ad.domain.c=
om</div><div style=3D"padding-left: 30px;"><br></div><div style=3D"padding-=
left: 30px;"># Also tried from Windows using the following and copying the =
keytab:</div><div style=3D"padding-left: 30px;">ktpass -princ afs/ad.domain=
.com@AD.DOMAIN.COM -mapuser <a href=3D"mailto:afs@AD.DOMAIN.COM" target=3D"=
_blank">afs@AD.DOMAIN.COM</a> -mapOp add -out keytab.afs +rndPass -ptype KR=
B5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC<br><div><br></div># Copy /tmp=
/afs from Samba (or from Windows) to OpenAFS server in /etc/afs.keytab<br><=
div><br></div>/opt/pbis/bin/kinit Administrator@AD.DOMAIN.COM<br>/opt/pbis/=
bin/kvno -k /etc/afs.keytab afs/ad.domain.com<br>asetkey add 6 /etc/afs.key=
tab afs/ad.domain.com<br>bos adduser ueafs1.ad.domain.com admin -noauth<br>=
bos adduser ueafs1.ad.domain.com kpettijohn -noauth<br>bos listkeys ueafs1.=
ad.domain.com -noauth<br><div><br></div># Kill bos and restart<br><div><br>=
</div>pkill bosserver<br>/usr/sbin/bosserver -noauth<br><div><br></div># In=
itialize Protection Database<br><div><br></div>pts createuser -name admin -=
noauth<br>pts createuser -name kpettijohn -noauth<br>pts adduser admin syst=
em:administrators -noauth<br>pts adduser kpettijohn system:administrators -=
noauth<br>pts membership admin -noauth<br>bos restart ueafs1.ad.domain.com =
-all -noauth<br><div><br></div></div><div style=3D"padding-left: 30px;"># S=
tart file server processes<br><div><br></div>bos create ueafs1.ad.domain.co=
m fs fs /usr/lib/openafs/fileserver \<br> /usr/lib/openaf=
s/volserver /usr/lib/openafs/salvager -noauth<br>bos status ueafs1.ad.domai=
n.com fs -long -noauth<br><div><br></div>vos create ueafs1.ad.domain.com vi=
cepa root.afs -noauth<br><div><br></div># Update server<br><div><br></div>b=
os create ueafs1.ad.domain.com upserver simple "/usr/lib/openafs/upserver -=
crypt /etc/openafs" -noauth<br><div><br></div># Restart BOS server using pa=
ckages<br><div><br></div>pkill bosserver<br>/etc/init.d/openafs-fileserver =
start<br><div><br></div></div></div></div><div><br></div></div></body></htm=
l>
------=_Part_20903_918185986.1388554367074--