[OpenAFS] Help setting up openafs on debian bookworm
Ernesto Alfonso
erjoalgo@gmail.com
Thu, 6 Jun 2024 10:40:56 -0400
--00000000000069be79061a39ac89
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
I wanted to provide an update, I have finally been able to set up openafs.
Thanks for all on this thread who provided helpful advice.
I did try to document most of the situations where I got stuck, and do have
a specific list of suggestions that may help make set up easier, mostly
around providing more user-friendly error messages, that I may try to write
when I have time.
Some of the tools I used that were helpful, and may be helpful to others
when trying to setup and debug errors, in no particular order:
- Following the official AFS doc at least for the first time instead of
expecting all scripts to work. This allowed me to become more familiar with
the various AFS components and services.
- Getting out of the mindset of attempting to treat AFS as a black box that
just works after "apt-get install", and being open to learning more about
the system and its administration
- Making use of the listing and status commands to verify changes made
after every step. Some of the commands I actually used were:
asetkey list
tokens
bos status
bos listkeys
pts membership admin -localauth
bos listusers -server asus.erjoalgo.com
vos listvol
vos status
pts listentries -localauth
pt_util -p /var/lib/openafs/db/prdb.DB0 -user -group -members
fs listacl
fs listquota -human
- Reading the source of the afs-newcell and afs-rootvol and being able to
run some of the failing commands manually
- Sometimes using strace -f was helpful in identifying which file was
opened or which service or port was queried whenever a command failed
without providing a helpful explanation
- sometimes it was necessary to restart the fileserver or client, for
example after a failed afs-rootvol command, it was necessary to run `fs
checkvolumes` as Jeffery Altman noted, and it was also necessary to restart
openafs-fileserver
- checking out the source on debian and reading some of the source code,
and adding debug logs was sometimes helpful whenever strace did not help
- reading the debian/README.Debian file as well as the
referenced configuration-transcript.txt was helpful even if the transcript
is a little outdated
- asking for help in this mailing list
Thanks again to all,
Ernesto
On Tue, Jun 4, 2024 at 10:24=E2=80=AFAM Jose M Calhariz <
jose.calhariz@tecnico.ulisboa.pt> wrote:
> Hi,
>
> as a maintainer of a OpenAFS cell on Debian, I have been seting up
> OpenAFS cells, just for tests, from scratch on Debian until V11. I
> follow the documentation inside the package and it works for me. If I
> am not mistaken you need 1 VM for kerberos server and another VM for
> the first AFSDB/Fileserver. For a cell that needs to run more than
> some days, I use 3 AFSDB and 2 File servers and 1 Kerberos master and
> 1 Kerberos slave.
>
> As it seams you have problems setting up a real cell, I recommend to
> setup a dummy cell just for learning. OpenAFS is nice after you know
> how to deal with it, until then is a beast that can easily bite you.
>
> Kind regards
> Jose M Calhariz
>
> On Sun, Jun 02, 2024 at 12:18:54PM -0400, Ernesto Alfonso wrote:
> > Dirk Heinrichs:
> >
> > Because you deleted the wrong key. The AFS principal should be name=
d
> > "afs/<domain>@<REALM>". Just follow the instructions in
> > https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under
> "Generating
> > the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> > "/etc/openafs/server", which is used on Debian/Ubuntu, and you
> should be
> > all set.
> >
> > Thanks. According to the afs-newcell script requirements banner, it wou=
ld
> > be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the
> > principal.
> >
> > If your cell's name is the same as your Kerberos realm then create =
a
> > principal called afs.
> > Otherwise, create a principal called afs/cellname in your realm
> >
> > I must admit that it is hard to know which guides to follow. I'm aware =
of
> > docs.openafs.org, but since I'm on debian I was looking for something
> more
> > debian-specific. Most guides and even some commands inside openafs, hel=
p
> > strings, docs are somewhat outdated with respect to the use of DES keys=
.
> >
> > For example, the afs-newcell says:
> >
> > 2) You need to create the single-DES AFS key and load it into
> > /etc/openafs/server/KeyFile. ... You can use asetkey from the
> > openafs-krb5 package, or
> > if you used AFS3 salt to create the key, the bos addkey command.
> >
> > Also, I have learned that `bos listkeys` will only list DES keys, which
> was
> > confusing.
> >
> > If I try to follow docs.openafs.org it is not clear which parts are
> covered
> > by afs-newcell, afs-rootvol, etc and should be skipped. I also apprecia=
te
> > having a simple script to run when setting up a new AFS cell, so I woul=
d
> > like to stick with debian packaging and scripts if possible.
> >
> > I was able to run the afs-newcell script, I only had to modify my
> > /etc/hosts to add my FQDN as an alias for 127.0.0.1.
> >
> > However, running `afs-rootvol` fails:
> >
> > =E2=96=88[asus][~][0]$ sudo kinit root/admin
> > Password for root/admin@ASUS.ERJOALGO.COM:
> > =E2=96=88[asus][~][25]$ sudo aklog -d
> > Authenticating to cell asus.erjoalgo.com (server asus.erjoalgo.com)=
.
> > Trying to authenticate to user's realm ASUS.ERJOALGO.COM.
> > Getting tickets: afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM
> > We've deduced that we need to authenticate to realm
> ASUS.ERJOALGO.COM.
> > Getting tickets: afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM
> > Getting tickets: afs@ASUS.ERJOALGO.COM
> > Using Kerberos V5 ticket natively
> > About to resolve name root.admin to id in cell asus.erjoalgo.com.
> > Id 1
> > Setting tokens. root.admin @ asus.erjoalgo.com
> > =E2=96=88[asus][~][16]$ sudo afs-rootvol --requirements-met --serve=
r
> > asus.erjoalgo.com
> > What partition? [a]
> >
> > vos create asus.erjoalgo.com a root.cell -localauth
> > Volume 536870915 created on partition /vicepa of asus.erjoalgo.com
> > fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw
> > fs: You don't have the required access rights on '/afs/
> > asus.erjoalgo.com/.root.afs'
> > Failed: 256
> >
> > Root volume setup failed, ABORTING
> > vos remove asus.erjoalgo.com a root.cell -localauth
> > Volume 536870915 on partition /vicepa server asus deleted
> > =E2=96=88[asus][~][0]$ sudo kinit root/admin
> > Password for root/admin@ASUS.ERJOALGO.COM:
> > =E2=96=88[asus][~][130]$ sudo aklog
> > =E2=96=88[asus][~][4]$ sudo afs-rootvol --requirements-met --server
> > asus.erjoalgo.com --partition=3Da
> >
> > vos create asus.erjoalgo.com a root.cell -localauth
> > Volume 536870918 created on partition /vicepa of asus.erjoalgo.com
> > fs sa /afs system:anyuser rl
> > fs:'/afs': Connection timed out
> > Failed: 256
> >
> > Root volume setup failed, ABORTING
> > vos remove asus.erjoalgo.com a root.cell -localauth
> > Volume 536870918 on partition /vicepa server asus deleted
> > =E2=96=88[asus][~][0]$ ls /afs
> >
> >
> > I don't understand what this means:
> >
> > fs: You don't have the required access rights on '/afs/
> > asus.erjoalgo.com/.root.afs'
> >
> > sudo klist shows that the default principal is the root/admin principal
> > specified earlier when running afs-newcell:
> >
> > =E2=96=88[asus][~][130]$ sudo klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: root/admin@ASUS.ERJOALGO.COM
> >
> > Valid starting Expires Service principal
> > 06/02/2024 11:43:36 06/02/2024 21:43:36 krbtgt/
> > ASUS.ERJOALGO.COM@ASUS.ERJOALGO.COM
> > 06/02/2024 11:44:32 06/02/2024 21:43:36 afs@ASUS.ERJOALGO.COM
> > =E2=96=88[asus][~][0]$
> >
> > I also don't understand the connection-timed out:
> >
> > fs:'/afs': Connection timed out
> >
> > I found the error in this post:
> >
> >
> https://www.cs.cmu.edu/afs/gco/archive/pipermail/openafs-info/2003-Octobe=
r/011026.html
> >
> > But I'm not sure I understand the suggested solution that references
> > bringing up a cache manager. I don't really understand what is going on=
.
> > Perhaps it would be better to try to set things up step by step and avo=
id
> > the debian scripts.
> >
> > Ernesto
> >
> > On Sun, Jun 2, 2024 at 9:12=E2=80=AFAM Dirk Heinrichs <dirk.heinrichs@a=
ltum.de>
> > wrote:
> >
> > > Ernesto Alfonso:
> > >
> > > > Now my problem is still understanding why `bos listkeys` now succee=
ds
> > > > but returns an empty set when asetkey does list 4 keys.
> > >
> > > Because you deleted the wrong key. The AFS principal should be named
> > > "afs/<domain>@<REALM>". Just follow the instructions in
> > > https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under
> "Generating
> > > the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> > > "/etc/openafs/server", which is used on Debian/Ubuntu, and you should
> be
> > > all set.
> > >
> > > Also note that if you setup multiple servers, you only need to do the
> > > kadmin part once, and copy the resulting rxkad.keytab (and probably
> > > KeyFileExt) to all servers, since the kvno needs to be the same on al=
l
> > > servers, but exporting the key increases it.
> > >
> > > HTH...
> > >
> > > Dirk
> > >
> > >
> > >
>
> --
> --
> Lembre-se de que um bom exemplo e o melhor sermao
> -- H. Jackson Brown Jr.
>
--00000000000069be79061a39ac89
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I wanted to provide an update, I have finally been able to=
set up openafs. Thanks for all on this thread who provided helpful advice.=
<div><br></div><div>I did try to document most of the situations where I go=
t stuck, and do have a specific list of suggestions that may help make set =
up easier, mostly around providing more user-friendly error messages, that =
I may try to write when I have time.</div><div><br></div><div>Some of the t=
ools I used that were helpful, and may be helpful to others when trying to =
setup and debug errors, in no particular order:</div><div><br></div><div>- =
Following the official AFS doc at least for the first time instead of expec=
ting all scripts to work. This allowed me to become more familiar with the =
various AFS components and services.</div><div>- Getting out of the mindset=
of attempting to treat AFS as a black box that just works after "apt-=
get install", and being open to learning more about the system and its=
administration</div><div>- Making use of the listing and status commands t=
o verify changes made after every step. Some of the commands I actually use=
d were:</div><div><br>=C2=A0 =C2=A0 asetkey list<br>=C2=A0 =C2=A0 tokens<br=
>=C2=A0 =C2=A0 bos status<br>=C2=A0 =C2=A0 bos listkeys<br>=C2=A0 =C2=A0 pt=
s membership admin -localauth<br>=C2=A0 =C2=A0 bos listusers -server <a hre=
f=3D"http://asus.erjoalgo.com">asus.erjoalgo.com</a><br>=C2=A0 =C2=A0 vos l=
istvol<br>=C2=A0 =C2=A0 vos status<br>=C2=A0 =C2=A0 pts listentries -locala=
uth<br>=C2=A0 =C2=A0 pt_util -p /var/lib/openafs/db/prdb.DB0 -user -group -=
members<br>=C2=A0 =C2=A0 fs listacl <br>=C2=A0 =C2=A0 fs listquota -human<b=
r><br></div><div>- Reading the source of the afs-newcell and afs-rootvol an=
d being able to run some of the failing commands manually=C2=A0</div><div>-=
Sometimes using strace -f was helpful in identifying which file was opened=
or which service or port was queried whenever a command failed without pro=
viding a helpful explanation</div><div>- sometimes it was necessary to rest=
art the fileserver or client, for example after a failed afs-rootvol comman=
d, it was necessary to run `fs checkvolumes` as Jeffery Altman noted, and i=
t was also necessary to restart openafs-fileserver</div><div>- checking out=
the source on debian and reading some of the source code, and adding debug=
logs was sometimes helpful whenever strace did not help</div><div>- readin=
g the debian/README.Debian file as well as the referenced=C2=A0configuratio=
n-transcript.txt was helpful even if the transcript is a little outdated</d=
iv><div>- asking for help in this mailing list</div><div><br></div><div>Tha=
nks again to all,</div><div><br></div><div>Ernesto</div><div><br></div></di=
v><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On T=
ue, Jun 4, 2024 at 10:24=E2=80=AFAM Jose M Calhariz <<a href=3D"mailto:j=
ose.calhariz@tecnico.ulisboa.pt">jose.calhariz@tecnico.ulisboa.pt</a>> w=
rote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
as a maintainer of a OpenAFS cell on Debian, I have been seting up<br>
OpenAFS cells, just for tests, from scratch on Debian until V11.=C2=A0 I<br=
>
follow the documentation inside the package and it works for me.=C2=A0 If I=
<br>
am not mistaken you need 1 VM for kerberos server and another VM for<br>
the first AFSDB/Fileserver.=C2=A0 For a cell that needs to run more than<br=
>
some days, I use 3 AFSDB and 2 File servers and 1 Kerberos master and<br>
1 Kerberos slave.<br>
<br>
As it seams you have problems setting up a real cell, I recommend to<br>
setup a dummy cell just for learning.=C2=A0 OpenAFS is nice after you know<=
br>
how to deal with it, until then is a beast that can easily bite you.<br>
<br>
Kind regards<br>
Jose M Calhariz<br>
<br>
On Sun, Jun 02, 2024 at 12:18:54PM -0400, Ernesto Alfonso wrote:<br>
> Dirk Heinrichs:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0Because you deleted the wrong key. The AFS principa=
l should be named<br>
>=C2=A0 =C2=A0 =C2=A0"afs/<domain>@<REALM>".=C2=A0=
Just follow the instructions in<br>
>=C2=A0 =C2=A0 =C2=A0<a href=3D"https://docs.openafs.org/QuickStartUnix/=
HDRWQ50.html" rel=3D"noreferrer" target=3D"_blank">https://docs.openafs.org=
/QuickStartUnix/HDRWQ50.html</a>, under "Generating<br>
>=C2=A0 =C2=A0 =C2=A0the Cell's Kerberos V5 Keys", but replace =
"/usr/afs/etc" with<br>
>=C2=A0 =C2=A0 =C2=A0"/etc/openafs/server", which is used on D=
ebian/Ubuntu, and you should be<br>
>=C2=A0 =C2=A0 =C2=A0all set.<br>
> <br>
> Thanks. According to the afs-newcell script requirements banner, it wo=
uld<br>
> be acceptable to use `afs` instead of afs/<a href=3D"http://asus.erjoa=
lgo.com" rel=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a>` as the=
<br>
> principal.<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0If your cell's name is the same as your Kerbero=
s realm then create a<br>
> principal called afs.<br>
>=C2=A0 =C2=A0 =C2=A0Otherwise, create a principal called afs/cellname i=
n your realm<br>
> <br>
> I must admit that it is hard to know which guides to follow. I'm a=
ware of<br>
> <a href=3D"http://docs.openafs.org" rel=3D"noreferrer" target=3D"_blan=
k">docs.openafs.org</a>, but since I'm on debian I was looking for some=
thing more<br>
> debian-specific. Most guides and even some commands inside openafs, he=
lp<br>
> strings, docs are somewhat outdated with respect to the use of DES key=
s.<br>
> <br>
> For example, the afs-newcell says:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A02) You need to create the single-DES AFS key and lo=
ad it into<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 /etc/openafs/server/KeyFile.=C2=A0 ... You =
can use asetkey from the<br>
> openafs-krb5 package, or<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 if you used AFS3 salt to create the key, th=
e bos addkey command.<br>
> <br>
> Also, I have learned that `bos listkeys` will only list DES keys, whic=
h was<br>
> confusing.<br>
> <br>
> If I try to follow <a href=3D"http://docs.openafs.org" rel=3D"noreferr=
er" target=3D"_blank">docs.openafs.org</a> it is not clear which parts are =
covered<br>
> by afs-newcell, afs-rootvol, etc and should be skipped. I also appreci=
ate<br>
> having a simple script to run when setting up a new AFS cell, so I wou=
ld<br>
> like to stick with debian packaging and scripts if possible.<br>
> <br>
> I was able to run the afs-newcell script, I only had to modify my<br>
> /etc/hosts to add my FQDN as an alias for 127.0.0.1.<br>
> <br>
> However, running `afs-rootvol` fails:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][0]$ sudo kinit root/admin<br>
>=C2=A0 =C2=A0 =C2=A0Password for root/<a href=3D"mailto:admin@ASUS.ERJO=
ALGO.COM" target=3D"_blank">admin@ASUS.ERJOALGO.COM</a>:<br>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][25]$ sudo aklog -d<br>
>=C2=A0 =C2=A0 =C2=A0Authenticating to cell <a href=3D"http://asus.erjoa=
lgo.com" rel=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a> (server=
<a href=3D"http://asus.erjoalgo.com" rel=3D"noreferrer" target=3D"_blank">=
asus.erjoalgo.com</a>).<br>
>=C2=A0 =C2=A0 =C2=A0Trying to authenticate to user's realm <a href=
=3D"http://ASUS.ERJOALGO.COM" rel=3D"noreferrer" target=3D"_blank">ASUS.ERJ=
OALGO.COM</a>.<br>
>=C2=A0 =C2=A0 =C2=A0Getting tickets: afs/<a href=3D"mailto:asus.erjoalg=
o.com@ASUS.ERJOALGO.COM" target=3D"_blank">asus.erjoalgo.com@ASUS.ERJOALGO.=
COM</a><br>
>=C2=A0 =C2=A0 =C2=A0We've deduced that we need to authenticate to r=
ealm <a href=3D"http://ASUS.ERJOALGO.COM" rel=3D"noreferrer" target=3D"_bla=
nk">ASUS.ERJOALGO.COM</a>.<br>
>=C2=A0 =C2=A0 =C2=A0Getting tickets: afs/<a href=3D"mailto:asus.erjoalg=
o.com@ASUS.ERJOALGO.COM" target=3D"_blank">asus.erjoalgo.com@ASUS.ERJOALGO.=
COM</a><br>
>=C2=A0 =C2=A0 =C2=A0Getting tickets: <a href=3D"mailto:afs@ASUS.ERJOALG=
O.COM" target=3D"_blank">afs@ASUS.ERJOALGO.COM</a><br>
>=C2=A0 =C2=A0 =C2=A0Using Kerberos V5 ticket natively<br>
>=C2=A0 =C2=A0 =C2=A0About to resolve name root.admin to id in cell <a h=
ref=3D"http://asus.erjoalgo.com" rel=3D"noreferrer" target=3D"_blank">asus.=
erjoalgo.com</a>.<br>
>=C2=A0 =C2=A0 =C2=A0Id 1<br>
>=C2=A0 =C2=A0 =C2=A0Setting tokens. root.admin @ <a href=3D"http://asus=
.erjoalgo.com" rel=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a><b=
r>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][16]$ sudo afs-rootvol --requirem=
ents-met --server<br>
> <a href=3D"http://asus.erjoalgo.com" rel=3D"noreferrer" target=3D"_bla=
nk">asus.erjoalgo.com</a><br>
>=C2=A0 =C2=A0 =C2=A0What partition? [a]<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0vos create <a href=3D"http://asus.erjoalgo.com" rel=
=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a> a root.cell -locala=
uth<br>
>=C2=A0 =C2=A0 =C2=A0Volume 536870915 created on partition /vicepa of <a=
href=3D"http://asus.erjoalgo.com" rel=3D"noreferrer" target=3D"_blank">asu=
s.erjoalgo.com</a><br>
>=C2=A0 =C2=A0 =C2=A0fs mkm /afs/<a href=3D"http://asus.erjoalgo.com/.ro=
ot.afs" rel=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com/.root.afs</a=
> root.afs -rw<br>
>=C2=A0 =C2=A0 =C2=A0fs: You don't have the required access rights o=
n '/afs/<br>
> <a href=3D"http://asus.erjoalgo.com/.root.afs" rel=3D"noreferrer" targ=
et=3D"_blank">asus.erjoalgo.com/.root.afs</a>'<br>
>=C2=A0 =C2=A0 =C2=A0Failed: 256<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0Root volume setup failed, ABORTING<br>
>=C2=A0 =C2=A0 =C2=A0vos remove <a href=3D"http://asus.erjoalgo.com" rel=
=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a> a root.cell -locala=
uth<br>
>=C2=A0 =C2=A0 =C2=A0Volume 536870915 on partition /vicepa server asus d=
eleted<br>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][0]$ sudo kinit root/admin<br>
>=C2=A0 =C2=A0 =C2=A0Password for root/<a href=3D"mailto:admin@ASUS.ERJO=
ALGO.COM" target=3D"_blank">admin@ASUS.ERJOALGO.COM</a>:<br>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][130]$ sudo aklog<br>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][4]$ sudo afs-rootvol --requireme=
nts-met --server<br>
> <a href=3D"http://asus.erjoalgo.com" rel=3D"noreferrer" target=3D"_bla=
nk">asus.erjoalgo.com</a>=C2=A0 --partition=3Da<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0vos create <a href=3D"http://asus.erjoalgo.com" rel=
=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a> a root.cell -locala=
uth<br>
>=C2=A0 =C2=A0 =C2=A0Volume 536870918 created on partition /vicepa of <a=
href=3D"http://asus.erjoalgo.com" rel=3D"noreferrer" target=3D"_blank">asu=
s.erjoalgo.com</a><br>
>=C2=A0 =C2=A0 =C2=A0fs sa /afs system:anyuser rl<br>
>=C2=A0 =C2=A0 =C2=A0fs:'/afs': Connection timed out<br>
>=C2=A0 =C2=A0 =C2=A0Failed: 256<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0Root volume setup failed, ABORTING<br>
>=C2=A0 =C2=A0 =C2=A0vos remove <a href=3D"http://asus.erjoalgo.com" rel=
=3D"noreferrer" target=3D"_blank">asus.erjoalgo.com</a> a root.cell -locala=
uth<br>
>=C2=A0 =C2=A0 =C2=A0Volume 536870918 on partition /vicepa server asus d=
eleted<br>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][0]$ ls /afs<br>
> <br>
> <br>
> I don't understand what this means:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0fs: You don't have the required access rights o=
n '/afs/<br>
> <a href=3D"http://asus.erjoalgo.com/.root.afs" rel=3D"noreferrer" targ=
et=3D"_blank">asus.erjoalgo.com/.root.afs</a>'<br>
> <br>
> sudo klist shows that the default principal is the root/admin principa=
l<br>
> specified earlier when running afs-newcell:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][130]$ sudo klist<br>
>=C2=A0 =C2=A0 =C2=A0Ticket cache: FILE:/tmp/krb5cc_0<br>
>=C2=A0 =C2=A0 =C2=A0Default principal: root/<a href=3D"mailto:admin@ASU=
S.ERJOALGO.COM" target=3D"_blank">admin@ASUS.ERJOALGO.COM</a><br>
> <br>
>=C2=A0 =C2=A0 =C2=A0Valid starting=C2=A0 =C2=A0 =C2=A0 =C2=A0Expires=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Service principal<br>
>=C2=A0 =C2=A0 =C2=A006/02/2024 11:43:36=C2=A0 06/02/2024 21:43:36=C2=A0=
krbtgt/<br>
> <a href=3D"mailto:ASUS.ERJOALGO.COM@ASUS.ERJOALGO.COM" target=3D"_blan=
k">ASUS.ERJOALGO.COM@ASUS.ERJOALGO.COM</a><br>
>=C2=A0 =C2=A0 =C2=A006/02/2024 11:44:32=C2=A0 06/02/2024 21:43:36=C2=A0=
<a href=3D"mailto:afs@ASUS.ERJOALGO.COM" target=3D"_blank">afs@ASUS.ERJOAL=
GO.COM</a><br>
>=C2=A0 =C2=A0 =C2=A0=E2=96=88[asus][~][0]$<br>
> <br>
> I also don't understand the connection-timed out:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0fs:'/afs': Connection timed out<br>
> <br>
> I found the error in this post:<br>
> <br>
> <a href=3D"https://www.cs.cmu.edu/afs/gco/archive/pipermail/openafs-in=
fo/2003-October/011026.html" rel=3D"noreferrer" target=3D"_blank">https://w=
ww.cs.cmu.edu/afs/gco/archive/pipermail/openafs-info/2003-October/011026.ht=
ml</a><br>
> <br>
> But I'm not sure I understand the suggested solution that referenc=
es<br>
> bringing up a cache manager. I don't really understand what is goi=
ng on.<br>
> Perhaps it would be better to try to set things up step by step and av=
oid<br>
> the debian scripts.<br>
> <br>
> Ernesto<br>
> <br>
> On Sun, Jun 2, 2024 at 9:12=E2=80=AFAM Dirk Heinrichs <<a href=3D"m=
ailto:dirk.heinrichs@altum.de" target=3D"_blank">dirk.heinrichs@altum.de</a=
>><br>
> wrote:<br>
> <br>
> > Ernesto Alfonso:<br>
> ><br>
> > > Now my problem is still understanding why `bos listkeys` now=
succeeds<br>
> > > but returns an empty set when asetkey does list 4 keys.<br>
> ><br>
> > Because you deleted the wrong key. The AFS principal should be na=
med<br>
> > "afs/<domain>@<REALM>".=C2=A0 Just follow t=
he instructions in<br>
> > <a href=3D"https://docs.openafs.org/QuickStartUnix/HDRWQ50.html" =
rel=3D"noreferrer" target=3D"_blank">https://docs.openafs.org/QuickStartUni=
x/HDRWQ50.html</a>, under "Generating<br>
> > the Cell's Kerberos V5 Keys", but replace "/usr/afs=
/etc" with<br>
> > "/etc/openafs/server", which is used on Debian/Ubuntu, =
and you should be<br>
> > all set.<br>
> ><br>
> > Also note that if you setup multiple servers, you only need to do=
the<br>
> > kadmin part once, and copy the resulting rxkad.keytab (and probab=
ly<br>
> > KeyFileExt) to all servers, since the kvno needs to be the same o=
n all<br>
> > servers, but exporting the key increases it.<br>
> ><br>
> > HTH...<br>
> ><br>
> >=C2=A0 =C2=A0 =C2=A0 Dirk<br>
> ><br>
> ><br>
> ><br>
<br>
-- <br>
--<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Lembre-se de que um bom exemplo e o melhor serm=
ao<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- H. Jackson Brown=
Jr.<br>
</blockquote></div>
--00000000000069be79061a39ac89--