* Madhusudan Singh [2005-08-12 10:47:00 -0400]: > > Why not follow the /usr/sbin/afs-newcell script that comes with Debian's > > openafs-dbserver package? It's rumoured to have some problems, but they > > are worth reporting. (See below.) > > I am trying to get a feel of how the whole thing works, so I would like to > get > a working configuration by hand first. .
That's OK, but by "follow" I didn't necessarily mean "run". One can also read the script as documentation and type in the commands by hand. > > One aspect that I found to be insufficiently documented is the need to > > write your realm name in /etc/openafs/server/krb.conf . It's been > > Isn't krb.conf supposed to be present in /etc instead (I have it present > there, and authentication seems to be "working" (read on)) ? Covered in the mailing list archives. If you have an /etc/krb.conf on your server for other reasons (generic Kerberos 4 support, presumably, but that's getting out of fashion) and the realm for your cell is the first one listed in that file, then indeed you don't need a separate krb.conf in /etc/openafs/server. > Then aklog worked. I then reestablished the firewall and opened TCP and UDP > ports 88, 749, 750, and 751. Now kinit worked but aklog did not. That is > where it stands from an authentication standpoint right now. Any idea which > ports need to be open for aklog ? 4444 (krb524d), most probably. You can strace aklog to find out for sure. And of course you'll want to open some of UDP 7000-7011 for AFS itself; especially 7001 inbound, since callbacks can occur a long time after any outbound AFS traffic from your host so that even stateful firewalls can have trouble with them. Note that these are client-side requirements (you asked about aklog); the optimal firewall settings for a server will be different. > # fs setacl /afs system:anyuser rl > > Now /afs is located on /, not /vicepa (Debian install set /afs up that way). /afs is a mount point. You need the AFS client to be running in order for the fs command to work. > Since /afs is not located in root.afs on /vicepa, why would I even want to or > be able to grant access rights to that (speaking as an afs administrator). > But if memory serves me right, the server partitions are usually mounted > under /afs. So, do I set a soft link ? Like ln -s /vicepa /afs ? No, no, no. Just run /etc/init.d/openafs-client force-start if it isn't already running. (I think it is. "pgrep -fl afsd" will tell.) > Sure enough the above command leads to the following error : > > fs: You don't have the required access rights on '/afs' Check your tokens. Note that this is exactly the symptom I had when I was missing a krb.conf file. Other related symptoms included pts subcommands failing unless they were invoked with -noauth. Did you restart bosserver without -noauth, by the way? At this stage you want to have full authentication support. > I am logged in as root with zzz's kerberos credentials (that ought to be > the combination with the highest access privileges on this new system). What > do you think is going on ? > > omega:/# ls -ltr / | grep "afs" > drwxrwxrwx 2 root root 2048 2005-08-10 11:11 afs > > omega:/# id > uid=0(root) gid=0(root) groups=0(root) tokens? (And you could at least set up a PAG with pagsh; no need for *every* daemon on your system to have administrative access to your AFS cell while you are working.) > omega:/# ls -ltr /afs > ls: /afs: Permission denied > > Thanks. > > PS : How about creating an openafscellnotequaltokerberosrealm wiki on > Wikipedia ? There isn't that much to know: the AFS service principal obviously had better have the cell name as instance, and the cell->realm mapping needs to be configured (krb.conf). Maybe that can fit on an existing page of the AFS wiki? I looked for that information in the FAQ. _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info