Hi On Wednesday 10 August 2005 1:53 pm, Sergio Gelato wrote: > * Frank Burkhardt [2005-08-10 10:51:38 +0200]: > > On Tue, Aug 09, 2005 at 10:01:01PM -0400, Madhusudan Singh wrote: > > > I was wondering if I could ask a few questions regarding AFS setup on > > > Debian. I am trying to follow the instructions > > > http://www.gentoo.org/doc/en/openafs.xml?style=printable > > Why not follow the /usr/sbin/afs-newcell script that comes with Debian's > openafs-dbserver package? It's rumoured to have some problems, but they > are worth reporting. (See below.) >
I am trying to get a feel of how the whole thing works, so I would like to get a working configuration by hand first. . > > > in a Cell A, Realm B type setup. > > Good, I wanted to practice doing just that, so I've just been playing > with this. Thank goodness. Finally, someone who is at least looking to do that. > > One aspect that I found to be insufficiently documented is the need to > write your realm name in /etc/openafs/server/krb.conf . It's been Isn't krb.conf supposed to be present in /etc instead (I have it present there, and authentication seems to be "working" (read on)) ? > mentioned before on this mailing list, but seems to be missing from > both Debian's and Gentoo's instructions, presumably because it's only > needed when your cell name doesn't match your realm name. > I promise to write a thorough howto for people in this situation when I get the server up and running. I beleive I am close to getting this working. Let me first bring you all up to date : To get past this setcellname problem, I had to shut down openafs-fileserver. Then start it with -noauth. That fixed it. I tried to follow instructions at : http://www.scode.org/afs/openafs-install.txt While the document does presumably work for realm=cell setups, I learnt the hard way that the name of the admin user needed to be someone who was actually present in the realm. In hindsight, a fairly stupid error, but then anyways, this is another thing that is not documented and can throw a newbie (at server setup) like me. After that, I followed along most of the document until it was time to get the Kerberos tickets, and the authentication choked. Until a friend pointed out that it was probably my firewall. I dropped it for a while (not recommended) and presto, the authentication for user zzz worked and I had tickets (klist). Then aklog worked. I then reestablished the firewall and opened TCP and UDP ports 88, 749, 750, and 751. Now kinit worked but aklog did not. That is where it stands from an authentication standpoint right now. Any idea which ports need to be open for aklog ? The next step was to set access rights on /vicepa. The instructions available on the last page of http://www.scode.org/afs/openafs-install.txt are a little confusing here. They suggest the following : # fs setacl /afs system:anyuser rl Now /afs is located on /, not /vicepa (Debian install set /afs up that way). Since /afs is not located in root.afs on /vicepa, why would I even want to or be able to grant access rights to that (speaking as an afs administrator). But if memory serves me right, the server partitions are usually mounted under /afs. So, do I set a soft link ? Like ln -s /vicepa /afs ? Sure enough the above command leads to the following error : fs: You don't have the required access rights on '/afs' I can't even list it : omega# cd afs -bash: cd: afs: Permission denied omega:/# ls /afs/ ls: /afs/: Permission denied I am logged in as root with zzz's kerberos credentials (that ought to be the combination with the highest access privileges on this new system). What do you think is going on ? omega:/# ls -ltr / | grep "afs" drwxrwxrwx 2 root root 2048 2005-08-10 11:11 afs omega:/# id uid=0(root) gid=0(root) groups=0(root) omega:/# ls -ltr /afs ls: /afs: Permission denied Thanks. PS : How about creating an openafscellnotequaltokerberosrealm wiki on Wikipedia ? _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
