Hello, > hm, if i disable afsd, i don't need the openafs.o module, right?
Correct, but afsd (the AFS client) is needed to complete setting up the server. Plus, it's always handy to be able to access the AFS server from the same host... Some things work anyway (such as bos), but others do not (such as vos, at least not all of it). > >http://www.scode.org/afs/openafs-install.txt > > this reading was really great, with great comments the article on > debianplanet did not have. i have to say that i'm using > heimdal-kerberos, so krb5_newrealm is not available; i think this only Ok. I haven't used it myself. > gereates a krb5.conf, right? may i post my krb5.conf, just for re-checking: According to the manpage: This script attempts to create a Kerberos realm. It assumes that none of the realm components exists. It creates the database and populates /etc/krb5kdc/kadm5.keytab which contains keys necessary for akdmind to run. IIRC, krb5.conf got created by the debian install scripts. I don't think I needed to modify it afterwards. Hopefully not, since that would mean my mini-guide is broken. > ------/etc/krb5.conf---- > [libdefaults] > default_realm = HOUSECAFE.DE > > [realms] > HOUSECAFE.DE = { > kdc = kdc.housecafe.de > admin_server = kdc.housecafe.de } > > [domain_realm] > .housecafe.de = HOUSECAFE.DE > housecafe.de = HOUSECAFE.DE > ------ Seems to be about the same as mine, though mine doesn't contain the entries in [domain_realm]. On other hosts I've added those, but apparantly it works without them (I'm assuming it's some kind of default). > there is a /var/lib/heimdal-kdc/kdc.conf also, containg some kdc > parameters, i think this file is set up right. Probably. Can't help you there I'm afraid. > ok, now things got interesting. bosserver is running with -noauth, > behaving as mentioned in your howto: > -------- > root@sheep:~# bos listhosts kdc -noauth > Cell name is housecafe.de > -------- Right. I still don't know why this occurs. But I haven't bothered investigating further since it tends to sort itself out by the time everything's up and running. > yes, "kdc" or "kdc.housecafe.de" is a CNAME to sheep.housecafe.de. it > resolves in /etc/hosts as well as via DNS. Hmm. I think the important part is that the hostname must resolv to an ip address which must resolv to an identical hostname. I'm not saying it won't work, but it MIGHT be that if kdc is a CNAME and the IP-address reverse-resolves to sheep, it won't work. Or perhaps kerberos is intelligent about CNAMEs. Or perhaps Heimdal doesn't have the same requirements. Dunno. > cool, but "pts createuser" fails, saying > > root@sheep:~# pts createuser -name root -cell housecafe.de -noauth > pts: no servers appear to be up ; unable to create user root > ------ > > you mentioned this too in your howto. but Ptlog is empty, i have only Actually my problem was that the command hanged. It just sat there. As far as I can recall. > this message on my console. the error would be DNS related, but it is > not, i guess. as i said, "kdc" resolves perfectly to an ip-number. > "hostname" gives "sheep" as output, but i also used this name and even > as FQDN in every step. the ptserver instance is definitively running: > > root@sheep:~# bos status kdc -long -noauth > Instance ptserver, (type is simple) currently running normally. > Process last started at Mon Feb 17 00:38:47 2003 (1 proc starts) > Command 1 is '/usr/lib/openafs/ptserver' > ---- > > ptserver shows up in "ps aux" too. > > now i'm stuck again. > i tried to use the -force option, but this only went well for the > "createuser" process (ignored errors), "adduser" was not working. Hmmmmm. I honestly don't know what this might be all about. As far as I know though, it doesn't involve kerberos in anyway. But I may be wrong. But my understanding is that the kerberos ticket basically just enables the afs client apps to create an afs ticket; I don't think kerberos is involved in any way when performing pts commands. But again, I may be wrong. Anyone else got a clue? :) > the debianplanet article did not mention this at all, other manuals are > only adding principals, setting keytab.files, and going on to mounting > afs volumes. i'm still a bit confused about these different approaches, > but the more i do, the more i seem to understand :-) Heh, that's kind of what it was like for me. There was lots of docs that were each "kind of" right, but not quite. After lots of reading difference souces, and in particular the debian planet article, I was finally able to get it up and running. > you gave me great help with your debian related howto. sure, a > generalized manual should also do. nevertheless i think i will alter > your howto (i you don't mind) for heimdal-krb5 users, once i got this > done here. Sure. We should try to do this the smart way though. Rather than fork it off, incorporate it. Then I'll have to convert it to some better format. After all the trouble I had I figure I should try to help create some good docs for future newbies. So if we can add heimdal info to the mini-howto, that's a good step in the right direction of making it more generalized. -- / Peter Schuller, InfiDyne Technologies HB PGP userID: 0xE9758B7D or 'Peter Schuller <[EMAIL PROTECTED]>' Key retrival: Send an E-Mail to [EMAIL PROTECTED] E-Mail: [EMAIL PROTECTED] Web: http://www.scode.org
msg07191/pgp00000.pgp
Description: PGP signature