[OpenAFS] Re: Trying OpenAFS, and missing

Kristofer Pettijohn kristofer@cybernetik.net
Thu, 9 Jan 2014 20:55:06 -0600 (CST)

Sorry for the top-post, but I just wanted to let you know my discovery. 

I followed the exact same instructions from the Debian tutorial wiki page ( https://openafs.dk/doku.php?id=server:openafs ), except I removed the DES keys and left myself with the two ARCFOUR keys 

Keytab name: WRFILE:/etc/openafs/server/rxkad.keytab 
KVNO Principal 
---- -------------------------------------------------------------------------- 
1 afs/ad.domain.com@AD.DOMAIN.COM (arcfour-hmac) 
1 afs/ad.domain.com@AD.DOMAIN.COM (arcfour-hmac) 

All of the instructions then worked as expected, and I now have successfully created a cell. 

Thank you everyone for your assistance. I'm beginning to understand how all of the OpenAFS pieces work together. 

We currently have 14 file servers (a combination of Samba and Windows), all part of an Active Directory domain.  Some of the Windows file servers use PeerSync to replicate between each other, simply to ensure local site access is fast for a couple of departments, and the rest are stand-alone at each site.  I am looking forward to test AFS and see if it can provide a good replacement for a single namespace and using read-only replicas to ensure fast access to certain file sets for departments that are overly picky.

----- Original Message ----- 
From: "Andrew Deason" <adeason@sinenomine.net> 
To: openafs-info@openafs.org 
Sent: Monday, January 6, 2014 12:48:11 PM 
Subject: [OpenAFS] Re: Trying OpenAFS, and missing 

On Wed, 1 Jan 2014 18:49:16 -0600 (CST) 
Kristofer Pettijohn <kristofer@cybernetik.net> wrote: 

> I re-ran through the process, following the Debian instructions ( 
> https://openafs.dk/doku.php?id=server:openafs ), and I am encountering 
> the same error. I cannot figure this one out. 

If you're still looking to solve this: 

> root@ueafs1:/var/log/openafs# bos setcellname -server ueafs1.ad.domain.com -name ad.domain.com -localauth 
> bos: failed to set cell (ticket contained unknown key version number) 

Let's stop right here. Regardless of what's on the KDC, using -localauth 
like this should always work. This command should not involve the KDC at 
all; we are constructing credentials using the rxkad.keytab file on 
disk, and the server using (presumably) the same rxkad.keytab file on 
disk. A first sanity check is to strace the 'bosserver' and 'bos' 
processes to see if they are actually reading the rxkad.keytab file that 
you think they are. You can run bosserver outside of the init script as 
root with no arguments; there's nothing much special about it, just make 
sure there's no other bosserver already running when you do it. Send the 
bosserver process a QUIT signal to shut it down gracefully outside of 
the init script. 

Another sanity check is to check that the bosserver process and the 
'bos' binary are linked to libkrb5. Just check e.g. 'ldd 
/usr/sbin/bosserver'. If either of them are not, that's a problem 
(though that's not your fault). 

Anyway, assuming that all makes sense, another possible source of 

Your rxkad.keytab file posted earlier contains DES keys in it; remove 
them. The server processes ignore DES keys in the rxkad.keytab file, and 
clients should as well, but this is not always true with some krb5 
implementations; it's better to just be safe and remove them. You can 
alter a keytab with ktutil; just check it with klist as you've been 
doing afterwards to make sure it contains what you think it does. 

Also keep in mind that a running server does not immediately detect 
changes to rxkad.keytab immediately. You need to 'touch CellServDB' for 
it to pick up changes; or completely restarting the server processes as 
I think you've been doing is fine, too. 

So, if you can get strace proof that both processes are using the same 
rxkad.keytab (and it's the one you expect), and it contains no DES keys, 
and you still get that error with 'bos -localauth', then that is indeed 
quite strange, so let us know. 

Andrew Deason 

OpenAFS-info mailing list