[OpenAFS] Trying OpenAFS, and missing

Kristofer Pettijohn kristofer@cybernetik.net
Wed, 1 Jan 2014 15:19:04 -0600 

Thank you for your response.

> >The steps I followed and documented as I went (from the Quickstart guide
> >for Linux) are listed below.
> On Debian/Ubuntu, you can also run the afs-newcell script after
> installation.

I started over and tried that, but it doesn't seem to support the
rxkad.keytab file that you mention later on in your message, so I went
back and adjusted my steps.

> >What might I be missing?  I've spent a solid 8 hours monkeying with this
> >and making no progress.
> Did you check that the kvno in your OpenAFS keyfile matches the kvno
> of the key in your KDC? If they don't match, you need to export the
> key again (each modification changes the kvno).

Yes, see below:

root@ueafs1:~# /opt/pbis/bin/klist -k -e
/etc/openafs/server/rxkad.keytab 
Keytab name: WRFILE:/etc/openafs/server/rxkad.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   6 afs/ad.domain.com@AD.DOMAIN.COM (des-cbc-crc) 
   6 afs/ad.domain.com@AD.DOMAIN.COM (des-cbc-md5) 
   6 afs/ad.domain.com@AD.DOMAIN.COM (aes128-cts-hmac-sha1-96) 
   6 afs/ad.domain.com@AD.DOMAIN.COM (aes256-cts-hmac-sha1-96) 
   6 afs/ad.domain.com@AD.DOMAIN.COM (arcfour-hmac) 

root@ueafs1:~# /opt/pbis/bin/kvno afs/ad.domain.com
afs/ad.domain.com@AD.DOMAIN.COM: kvno = 6

> You don't want libpam-openafs-kaserver, but libpam-afs-session (but
> that's not related to your problem).

Thanks, I now see that kaserver was the previous/old authentication
method.  I have adjusted my steps.

> >samba-tool spn add afs/ad.domain.com afs
> >samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com
> Is "ad.domain.com" your actual cell name, or is it only "domain.com"?

ad.domain.com is my AD domain name, Kerberos realm, and cell name.

> >/opt/pbis/bin/kinit Administrator@AD.DOMAIN.COM
> >/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com
> >asetkey add 6 /etc/afs.keytab afs/ad.domain.com
> Starting with 1.6.5.1, you don't need to use asetkey anymore. You
> can export the key to /etc/openafs/server/rxkad.keytab directly and
> it will be used by OpenAFS just fine. You're also not restricted to
> DES-CBC-CRC anymore.

I tried that.  Also following the steps at
https://openafs.dk/doku.php?id=server:openafs, I went through
"Kerberizing the OpenAFS server" and "Initial setup of bosserver", and
as soon as I hit the "bos setcellname" command I receive the error:

root@ueafs1:~# bos setcellname -server ueafs1.ad.domain.com -name
ad.domain.com -localauth
bos: failed to set cell (ticket contained unknown key version number)

root@ueafs1:~# /opt/pbis/bin/klist
Ticket cache: FILE:/tmp/krb5cc_483120612_gRyJqv
Default principal: kpettijohn@AD.DOMAIN.COM

Valid starting     Expires            Service principal
01/01/14 21:12:54  01/02/14 07:12:54  krbtgt/AD.DOMAIN.COM@AD.DOMAIN.COM
    renew until 01/02/14 21:12:52, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, arcfour-hmac 
01/01/14 21:16:03  01/02/14 07:12:54  afs/ad.domain.com@AD.DOMAIN.COM
    renew until 01/02/14 21:12:52, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac 


I must be missing something obviously stupid.