[OpenAFS] Trying OpenAFS, and missing
Dirk Heinrichs
dirk.heinrichs@altum.de
Wed, 01 Jan 2014 10:17:36 +0100
Am 01.01.2014 03:31, schrieb Kristofer Pettijohn:
> Hello,
>
> I am trying OpenAFS, but it does not seem to be working correctly with
> Kerberos.
>
> I am attempting to install an OpenAFS server and client on the same
> machine (Ubuntu 13.10), using Samba4 as an AD controller with its built
> in Kerberos server. The server uses PowerBroker for authentication and
> kerberos.
>
> The steps I followed and documented as I went (from the Quickstart guide
> for Linux) are listed below.
On Debian/Ubuntu, you can also run the afs-newcell script after
installation.
> No matter what I do, I receive an error about an unknown key version number.
>
> root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com -localauth
> key 6 has cksum 1466094097
> Keys last changed on Tue Dec 31 21:06:31 2013.
> All done.
> root@ueafs1:/etc# bos listkeys ueafs1.ad.domain.com
> bos: ticket contained unknown key version number error encountered while
> listing keys
> root@ueafs1:/etc#
>
> The keytab appears to be fine, and shows the correct verision:
>
> root@ueafs1:/etc# /opt/pbis/bin/klist -k /etc/afs.keytab
> Keytab name: WRFILE:/etc/afs.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 6 afs/ad.domain.com@AD.DOMAIN.COM
>
>
> What might I be missing? I've spent a solid 8 hours monkeying with this
> and making no progress.
Did you check that the kvno in your OpenAFS keyfile matches the kvno of
the key in your KDC? If they don't match, you need to export the key
again (each modification changes the kvno).
> # Add OpenAFS repository
>
> add-apt-repository ppa:openafs/stable
> apt-get update
> # Install OpenAFS packages
> # Set cell name to match Kerberos Realm when prompted
> apt-get install libpam-openafs-kaserver openafs-client openafs-dbserver
> openafs-fileserver openafs-krb5
You don't want libpam-openafs-kaserver, but libpam-afs-session (but
that's not related to your problem).
> # Stop OpenAFS processes and start BOS with -noauth
> /etc/init.d/openafs-fileserver stop
> /usr/sbin/bosserver -noauth
>
> # Edit /etc/openafs/CellServDB and add realm and server
>
> bos setcellname <servername> <cellname> -noauth
> bos listhosts <servername> -noauth
>
> # Ensure that proper IP address is in /etc/openafs/server/CellServDB,
> and not 127.0.0.1
>
> bos create ueafs1.ad.domain.com buserver simple
> /usr/lib/openafs/buserver -noauth
> bos create ueafs1.ad.domain.com ptserver simple
> /usr/lib/openafs/ptserver -noauth
> bos create ueafs1.ad.domain.com vlserver simple
> /usr/lib/openafs/vlserver -noauth
>
> # Create "afs" user in AD
>
> samba-tool spn add afs/ad.domain.com afs
> samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com
Is "ad.domain.com" your actual cell name, or is it only "domain.com"?
> # Also tried from Windows using the following and copying the keytab:
> ktpass -princ afs/ad.domain.com@AD.DOMAIN.COM -mapuser afs@AD.DOMAIN.COM
> <mailto:afs@AD.DOMAIN.COM> -mapOp add -out keytab.afs +rndPass -ptype
> KRB5_NT_PRINCIPAL +DumpSalt -crypto DES-CBC-CRC
>
> # Copy /tmp/afs from Samba (or from Windows) to OpenAFS server in
> /etc/afs.keytab
>
> /opt/pbis/bin/kinit Administrator@AD.DOMAIN.COM
> /opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com
> asetkey add 6 /etc/afs.keytab afs/ad.domain.com
Starting with 1.6.5.1, you don't need to use asetkey anymore. You can
export the key to /etc/openafs/server/rxkad.keytab directly and it will
be used by OpenAFS just fine. You're also not restricted to DES-CBC-CRC
anymore.
> bos adduser ueafs1.ad.domain.com admin -noauth
> bos adduser ueafs1.ad.domain.com kpettijohn -noauth
> bos listkeys ueafs1.ad.domain.com -noauth
>
> # Kill bos and restart
>
> pkill bosserver
> /usr/sbin/bosserver -noauth
>
> # Initialize Protection Database
>
> pts createuser -name admin -noauth
> pts createuser -name kpettijohn -noauth
> pts adduser admin system:administrators -noauth
> pts adduser kpettijohn system:administrators -noauth
> pts membership admin -noauth
> bos restart ueafs1.ad.domain.com -all -noauth
>
> # Start file server processes
>
> bos create ueafs1.ad.domain.com fs fs /usr/lib/openafs/fileserver \
> /usr/lib/openafs/volserver /usr/lib/openafs/salvager -noauth
You should consider using the new demand attach fileserver (DAFS)
instead, gives much better performance.
HTH...
Dirk
--
Dirk Heinrichs <dirk.heinrichs@altum.de>
Tel: +49 (0)2471 209385 | Mobil: +49 (0)176 34473913
GPG Public Key C2E467BB | Jabber: dirk.heinrichs@altum.de