Dirk Heinrichs:
Because you deleted the wrong key. The AFS principal should be named
"afs/<domain>@<REALM>". Just follow the instructions in
https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating
the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
"/etc/openafs/server", which is used on Debian/Ubuntu, and you should be
all set.
Thanks. According to the afs-newcell script requirements banner, it would
be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the
principal.
If your cell's name is the same as your Kerberos realm then create a
principal called afs.
Otherwise, create a principal called afs/cellname in your realm
I must admit that it is hard to know which guides to follow. I'm aware of
docs.openafs.org, but since I'm on debian I was looking for something more
debian-specific. Most guides and even some commands inside openafs, help
strings, docs are somewhat outdated with respect to the use of DES keys.
For example, the afs-newcell says:
2) You need to create the single-DES AFS key and load it into
/etc/openafs/server/KeyFile. ... You can use asetkey from the
openafs-krb5 package, or
if you used AFS3 salt to create the key, the bos addkey command.
Also, I have learned that `bos listkeys` will only list DES keys, which was
confusing.
If I try to follow docs.openafs.org it is not clear which parts are covered
by afs-newcell, afs-rootvol, etc and should be skipped. I also appreciate
having a simple script to run when setting up a new AFS cell, so I would
like to stick with debian packaging and scripts if possible.
I was able to run the afs-newcell script, I only had to modify my
/etc/hosts to add my FQDN as an alias for 127.0.0.1.
However, running `afs-rootvol` fails:
█[asus][~][0]$ sudo kinit root/admin
Password for root/ad...@asus.erjoalgo.com:
█[asus][~][25]$ sudo aklog -d
Authenticating to cell asus.erjoalgo.com (server asus.erjoalgo.com).
Trying to authenticate to user's realm ASUS.ERJOALGO.COM.
Getting tickets: afs/asus.erjoalgo....@asus.erjoalgo.com
We've deduced that we need to authenticate to realm ASUS.ERJOALGO.COM.
Getting tickets: afs/asus.erjoalgo....@asus.erjoalgo.com
Getting tickets: a...@asus.erjoalgo.com
Using Kerberos V5 ticket natively
About to resolve name root.admin to id in cell asus.erjoalgo.com.
Id 1
Setting tokens. root.admin @ asus.erjoalgo.com
█[asus][~][16]$ sudo afs-rootvol --requirements-met --server
asus.erjoalgo.com
What partition? [a]
vos create asus.erjoalgo.com a root.cell -localauth
Volume 536870915 created on partition /vicepa of asus.erjoalgo.com
fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw
fs: You don't have the required access rights on '/afs/
asus.erjoalgo.com/.root.afs'
Failed: 256
Root volume setup failed, ABORTING
vos remove asus.erjoalgo.com a root.cell -localauth
Volume 536870915 on partition /vicepa server asus deleted
█[asus][~][0]$ sudo kinit root/admin
Password for root/ad...@asus.erjoalgo.com:
█[asus][~][130]$ sudo aklog
█[asus][~][4]$ sudo afs-rootvol --requirements-met --server
asus.erjoalgo.com --partition=a
vos create asus.erjoalgo.com a root.cell -localauth
Volume 536870918 created on partition /vicepa of asus.erjoalgo.com
fs sa /afs system:anyuser rl
fs:'/afs': Connection timed out
Failed: 256
Root volume setup failed, ABORTING
vos remove asus.erjoalgo.com a root.cell -localauth
Volume 536870918 on partition /vicepa server asus deleted
█[asus][~][0]$ ls /afs
I don't understand what this means:
fs: You don't have the required access rights on '/afs/
asus.erjoalgo.com/.root.afs'
sudo klist shows that the default principal is the root/admin principal
specified earlier when running afs-newcell:
█[asus][~][130]$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/ad...@asus.erjoalgo.com
Valid starting Expires Service principal
06/02/2024 11:43:36 06/02/2024 21:43:36 krbtgt/
asus.erjoalgo....@asus.erjoalgo.com
06/02/2024 11:44:32 06/02/2024 21:43:36 a...@asus.erjoalgo.com
█[asus][~][0]$
I also don't understand the connection-timed out:
fs:'/afs': Connection timed out
I found the error in this post:
https://www.cs.cmu.edu/afs/gco/archive/pipermail/openafs-info/2003-October/011026.html
But I'm not sure I understand the suggested solution that references
bringing up a cache manager. I don't really understand what is going on.
Perhaps it would be better to try to set things up step by step and avoid
the debian scripts.
Ernesto
On Sun, Jun 2, 2024 at 9:12 AM Dirk Heinrichs <dirk.heinri...@altum.de>
wrote:
> Ernesto Alfonso:
>
> > Now my problem is still understanding why `bos listkeys` now succeeds
> > but returns an empty set when asetkey does list 4 keys.
>
> Because you deleted the wrong key. The AFS principal should be named
> "afs/<domain>@<REALM>". Just follow the instructions in
> https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating
> the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with
> "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be
> all set.
>
> Also note that if you setup multiple servers, you only need to do the
> kadmin part once, and copy the resulting rxkad.keytab (and probably
> KeyFileExt) to all servers, since the kvno needs to be the same on all
> servers, but exporting the key increases it.
>
> HTH...
>
> Dirk
>
> --
> Dirk Heinrichs <dirk.heinri...@altum.de>
> Matrix-Adresse: @heini:chat.altum.de
> GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
> Privacy Handbuch: https://www.privacy-handbuch.de
>
>
