[OpenAFS] Trying OpenAFS, and missing
Wed, 1 Jan 2014 15:19:04 -0600
Thank you for your response.
> >The steps I followed and documented as I went (from the Quickstart guide
> >for Linux) are listed below.
> On Debian/Ubuntu, you can also run the afs-newcell script after
I started over and tried that, but it doesn't seem to support the
rxkad.keytab file that you mention later on in your message, so I went
back and adjusted my steps.
> >What might I be missing? I've spent a solid 8 hours monkeying with this
> >and making no progress.
> Did you check that the kvno in your OpenAFS keyfile matches the kvno
> of the key in your KDC? If they don't match, you need to export the
> key again (each modification changes the kvno).
Yes, see below:
root@ueafs1:~# /opt/pbis/bin/klist -k -e
Keytab name: WRFILE:/etc/openafs/server/rxkad.keytab
6 afs/ad.domain.com@AD.DOMAIN.COM (des-cbc-crc)
6 afs/ad.domain.com@AD.DOMAIN.COM (des-cbc-md5)
6 afs/ad.domain.com@AD.DOMAIN.COM (aes128-cts-hmac-sha1-96)
6 afs/ad.domain.com@AD.DOMAIN.COM (aes256-cts-hmac-sha1-96)
6 afs/ad.domain.com@AD.DOMAIN.COM (arcfour-hmac)
root@ueafs1:~# /opt/pbis/bin/kvno afs/ad.domain.com
afs/ad.domain.com@AD.DOMAIN.COM: kvno = 6
> You don't want libpam-openafs-kaserver, but libpam-afs-session (but
> that's not related to your problem).
Thanks, I now see that kaserver was the previous/old authentication
method. I have adjusted my steps.
> >samba-tool spn add afs/ad.domain.com afs
> >samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com
> Is "ad.domain.com" your actual cell name, or is it only "domain.com"?
ad.domain.com is my AD domain name, Kerberos realm, and cell name.
> >/opt/pbis/bin/kinit Administrator@AD.DOMAIN.COM
> >/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com
> >asetkey add 6 /etc/afs.keytab afs/ad.domain.com
> Starting with 220.127.116.11, you don't need to use asetkey anymore. You
> can export the key to /etc/openafs/server/rxkad.keytab directly and
> it will be used by OpenAFS just fine. You're also not restricted to
> DES-CBC-CRC anymore.
I tried that. Also following the steps at
https://openafs.dk/doku.php?id=server:openafs, I went through
"Kerberizing the OpenAFS server" and "Initial setup of bosserver", and
as soon as I hit the "bos setcellname" command I receive the error:
root@ueafs1:~# bos setcellname -server ueafs1.ad.domain.com -name
bos: failed to set cell (ticket contained unknown key version number)
Ticket cache: FILE:/tmp/krb5cc_483120612_gRyJqv
Default principal: kpettijohn@AD.DOMAIN.COM
Valid starting Expires Service principal
01/01/14 21:12:54 01/02/14 07:12:54 krbtgt/AD.DOMAIN.COM@AD.DOMAIN.COM
renew until 01/02/14 21:12:52, Etype (skey, tkt):
01/01/14 21:16:03 01/02/14 07:12:54 afs/ad.domain.com@AD.DOMAIN.COM
renew until 01/02/14 21:12:52, Etype (skey, tkt): arcfour-hmac,
I must be missing something obviously stupid.