[OpenAFS] AFS via SSH tunnel
Ernesto Alfonso
erjoalgo@gmail.com
Sun, 29 Jun 2025 20:25:40 -0400
--000000000000f546710638bf1139
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
I have an AFS server at home that's not exposed to the public internet.
When I'm not home, occasionally I'd like to have secure access to the file
system.
At first I tried to VPN into my home network to have access to the AFS
server as a local host, but I'm having trouble setting this up right now
for reasons not related to AFS--some openvpn server issue where I'm able to
establish the VPN connection but unable to see any other hosts except the
VPN server itself.
My current attempt is to use SSH to forward all the relevant openafs ports
as local services, and then try to trick my AFS client into connecting to
127.0.0.1. I'm forwarding the ports 88, 7000-7007, using a command similar
to this:
ssh -N myhome.com -L 88:afsserver:88 -L 7000:afsserver:7000 -L
7001:afsserver:7001 -L 7002:afsserver:7002 -L 7003:afsserver:7003 -L
7004:afsserver:7004 -L 7005:afsserver:7005 -L 7006:afsserver:7006 -L
7007:afsserver:7007
myhome.com is an intermediate host that exposes an SSH server, and can
locally access afsserver.local. The ports are forwarded to my laptop's
localhost. I then manipulate /etc/hosts to name 127.0.0.1 as afsserver, and
I also update CellServDB.
After this, I try to run kinit myuser && aklog -d
The kinit command succeeds, but aklog -d fails, curiously with exit status
0.
$ aklog -d
Authenticating to cell afs.example.com (server afs.example.com).
Trying to authenticate to user's realm AFS.EXAMPLE.COM.
Getting tickets: afs/afs.example.com@AFS.EXAMPLE.COM
Using Kerberos V5 ticket natively
About to resolve name admin to id in cell afs.example.com.
Error -1
Setting tokens. admin @ afs.example.com
=E2=96=88[laptop][Downloads][0]$
I'm also unable to read any AFS files:
cat /afs/afs.example.com/public/hola
cat: /afs/afs.example.com/public/hola: Connection timed out
How should human users of AFS interpret this "Error -1", and what can I do
about it?
I would also welcome suggestions as to how to alternative ways to achieve
my original goal, though I wouldn't feel inclined to open up all the AFS
ports directly to the public.
Thanks,
Ernesto
--000000000000f546710638bf1139
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I have an AFS server at home that's not exposed to the=
public internet. When I'm not home, occasionally I'd like to have =
secure access to the file system.<div><br></div><div>At first I tried to VP=
N into my home network to have access to the AFS server as a local host, bu=
t I'm having trouble setting this up right now for reasons not related =
to AFS--some openvpn server issue where I'm able to establish the VPN c=
onnection but unable to see any other hosts except the VPN server itself.</=
div><div><br></div><div>My current attempt is to use SSH to forward all the=
relevant openafs ports as local services, and then try to trick my AFS cli=
ent into connecting to 127.0.0.1. I'm forwarding the ports 88, 7000-700=
7, using a command similar to this:</div><div><br></div><div>=C2=A0 =C2=A0 =
ssh -N <a href=3D"http://myhome.com">myhome.com</a> -L 88:afsserver:88 -L 7=
000:afsserver:7000 -L 7001:afsserver:7001 -L 7002:afsserver:7002 -L 7003:af=
sserver:7003 -L 7004:afsserver:7004 -L 7005:afsserver:7005 -L 7006:afsserve=
r:7006 -L 7007:afsserver:7007</div><div><br></div><div><a href=3D"http://my=
home.com">myhome.com</a> is an intermediate host that exposes an SSH server=
, and can locally access afsserver.local. The ports are forwarded to my lap=
top's localhost. I then manipulate /etc/hosts to name 127.0.0.1 as afss=
erver, and I also update CellServDB.</div><div><br></div><div>After this, I=
try to run=C2=A0<span style=3D"color:rgb(0,0,0);font-family:monospace">kin=
it myuser && aklog -d</span></div><br><div><font face=3D"monospace"=
>The kinit command succeeds, but aklog -d fails, curiously with exit status=
0.</font></div><div><br></div>=C2=A0 =C2=A0=C2=A0<br>=C2=A0 =C2=A0 $ aklog=
-d<br>=C2=A0 =C2=A0 Authenticating to cell <a href=3D"http://afs.example.c=
om">afs.example.com</a> (server <a href=3D"http://afs.example.com">afs.exam=
ple.com</a>).<br>=C2=A0 =C2=A0 Trying to authenticate to user's realm <=
a href=3D"http://AFS.EXAMPLE.COM">AFS.EXAMPLE.COM</a>.<br>=C2=A0 =C2=A0 Get=
ting tickets: afs/<a href=3D"mailto:afs.example.com@AFS.EXAMPLE.COM">afs.ex=
ample.com@AFS.EXAMPLE.COM</a><br>=C2=A0 =C2=A0 Using Kerberos V5 ticket nat=
ively<br>=C2=A0 =C2=A0 About to resolve name admin to id in cell <a href=3D=
"http://afs.example.com">afs.example.com</a>.<br>=C2=A0 =C2=A0 Error -1<br>=
=C2=A0 =C2=A0 Setting tokens. admin @ <a href=3D"http://afs.example.com">af=
s.example.com</a><br><div>=C2=A0 =C2=A0 =E2=96=88[laptop][Downloads][0]$</d=
iv><div><br></div><div>I'm also unable to read any AFS files:</div><div=
><br></div><div>=C2=A0 =C2=A0 cat /afs/<a href=3D"http://afs.example.com/pu=
blic/hola">afs.example.com/public/hola</a></div><div>=C2=A0 =C2=A0 cat: /af=
s/<a href=3D"http://afs.example.com/public/hola">afs.example.com/public/hol=
a</a>: Connection timed out</div><div><br></div><div>How should human users=
of AFS interpret this "Error -1", and what can I do about it?=C2=
=A0</div><div><br></div><div>I would also welcome suggestions as to how to =
alternative ways to achieve my original goal, though I wouldn't feel in=
clined to open up all the AFS ports directly to the public.</div><div><br><=
/div><div>Thanks,</div><div><br></div><div>Ernesto</div></div>
--000000000000f546710638bf1139--