[OpenAFS] Re: Trouble creating AFS KeyFile on FreeBSD 10.0

Eric Shell eshell@soe.ucsc.edu
Wed, 24 Sep 2014 08:22:12 -0700 

--001a11c307be8953420503d13f86
Content-Type: text/plain; charset=UTF-8

> > Thanks, Ben.  Copying a regular krb5 keytab to
> > /usr/local/etc/openafs/server/rxkad.keytab worked and I was able to
> proceed
> > until trying to create a user.  I tried running
> >
> > pts createuser -name test -id 1000 -localauth
> >
> >  but it returns
> >
> > > pts: server or network not responding; unable to create user test with
> id
> > > 1000
>
> Does it hang for a little while before returning this error?
>

It does, for somewhere around 30 seconds.


> > I find out what's causing the error?  I tried to learn what was going on
> > with truss and found that it was complaining that no
> > /usr/local/etc/openafs/server/KeyFile and
> > /usr/local/etc/openafs/server/UserList files existed, so I touched them,
> > but that didn't make a difference.  I shouldn't need the KeyFile at
> > all if /usr/local/etc/openafs/server/rxkad.keytab is present, correct?
>
> Don't create those files; we just probe to see if they exist, but
> indeed, you don't need them.
>
> > In case it is relevant, when I run the pts createuser command with
> > -noauth it immediately returns a "Permission denied" error.
>
> That's helpful to know, since it shows we don't actually have a problem
> with simply contacting the server. Questions and things to try:
>
> Can you run any command successfully with -localauth? A good simple test
> is 'bos status' like you showed; just run it with -localauth.
>

Yes, this works.  It immediately says that buserver, vlserver, and ptserver
are running normally.


>
> Did you restart the servers after putting rxkad.keytab in place? (This
> isn't always necessary, but at least in situations like this I think
> it's simpler to do so.)
>

Yeah, I did stop/start them.  Later I also tried deleting and recreating
them, not sure if that introduced any problems.


>
> Can you show the contents of rxkad.keytab? Not the keys, obviously; just
> what the principals and enctypes are.
>

Sure thing:

Vno  Type                     Principal                      Aliases
   2  aes256-cts-hmac-sha1-96  afs/soe.ucsc.edu@SOE.UCSC.EDU
   2  des3-cbc-sha1            afs/soe.ucsc.edu@SOE.UCSC.EDU
   2  arcfour-hmac-md5         afs/soe.ucsc.edu@SOE.UCSC.EDU


-- 
Eric Shell

--001a11c307be8953420503d13f86
Content-Type: text/html; charset=UTF-8

<div dir="ltr"><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">&gt; &gt; Thanks, Ben.  Copying a regular krb5 keytab to
&gt; &gt; /usr/local/etc/openafs/server/rxkad.keytab worked and I was able to
&gt; proceed
&gt; &gt; until trying to create a user.  I tried running
&gt; &gt;
&gt; &gt; pts createuser -name test -id 1000 -localauth
&gt; &gt;
&gt; &gt;  but it returns
&gt; &gt;
&gt; &gt; &gt; pts: server or network not responding; unable to create user test with
&gt; id
&gt; &gt; &gt; 1000
&gt;
&gt; Does it hang for a little while before returning this error?
&gt;

It does, for somewhere around 30 seconds.


&gt; &gt; I find out what&#39;s causing the error?  I tried to learn what was going on
&gt; &gt; with truss and found that it was complaining that no
&gt; &gt; /usr/local/etc/openafs/server/KeyFile and
&gt; &gt; /usr/local/etc/openafs/server/UserList files existed, so I touched them,
&gt; &gt; but that didn&#39;t make a difference.  I shouldn&#39;t need the KeyFile at
&gt; &gt; all if /usr/local/etc/openafs/server/rxkad.keytab is present, correct?
&gt;
&gt; Don&#39;t create those files; we just probe to see if they exist, but
&gt; indeed, you don&#39;t need them.
&gt;
&gt; &gt; In case it is relevant, when I run the pts createuser command with
&gt; &gt; -noauth it immediately returns a &quot;Permission denied&quot; error.
&gt;
&gt; That&#39;s helpful to know, since it shows we don&#39;t actually have a problem
&gt; with simply contacting the server. Questions and things to try:
&gt;
&gt; Can you run any command successfully with -localauth? A good simple test
&gt; is &#39;bos status&#39; like you showed; just run it with -localauth.
&gt;

Yes, this works.  It immediately says that buserver, vlserver, and ptserver
are running normally.


&gt;
&gt; Did you restart the servers after putting rxkad.keytab in place? (This
&gt; isn&#39;t always necessary, but at least in situations like this I think
&gt; it&#39;s simpler to do so.)
&gt;

Yeah, I did stop/start them.  Later I also tried deleting and recreating
them, not sure if that introduced any problems.


&gt;
&gt; Can you show the contents of rxkad.keytab? Not the keys, obviously; just
&gt; what the principals and enctypes are.
&gt;

Sure thing:

Vno  Type                     Principal                      Aliases
   2  aes256-cts-hmac-sha1-96  afs/<a href="mailto:soe.ucsc.edu@SOE.UCSC.EDU">soe.ucsc.edu@SOE.UCSC.EDU</a>
   2  des3-cbc-sha1            afs/<a href="mailto:soe.ucsc.edu@SOE.UCSC.EDU">soe.ucsc.edu@SOE.UCSC.EDU</a>
   2  arcfour-hmac-md5         afs/<a href="mailto:soe.ucsc.edu@SOE.UCSC.EDU">soe.ucsc.edu@SOE.UCSC.EDU</a>
</pre><div><br></div><div class="gmail_extra">-- <br><div dir="ltr"><span></span>Eric Shell<br></div>
</div></div>

--001a11c307be8953420503d13f86--