Dirk Heinrichs: Because you deleted the wrong key. The AFS principal should be named "afs/<domain>@<REALM>". Just follow the instructions in https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be all set.
Thanks. According to the afs-newcell script requirements banner, it would be acceptable to use `afs` instead of afs/asus.erjoalgo.com` as the principal. If your cell's name is the same as your Kerberos realm then create a principal called afs. Otherwise, create a principal called afs/cellname in your realm I must admit that it is hard to know which guides to follow. I'm aware of docs.openafs.org, but since I'm on debian I was looking for something more debian-specific. Most guides and even some commands inside openafs, help strings, docs are somewhat outdated with respect to the use of DES keys. For example, the afs-newcell says: 2) You need to create the single-DES AFS key and load it into /etc/openafs/server/KeyFile. ... You can use asetkey from the openafs-krb5 package, or if you used AFS3 salt to create the key, the bos addkey command. Also, I have learned that `bos listkeys` will only list DES keys, which was confusing. If I try to follow docs.openafs.org it is not clear which parts are covered by afs-newcell, afs-rootvol, etc and should be skipped. I also appreciate having a simple script to run when setting up a new AFS cell, so I would like to stick with debian packaging and scripts if possible. I was able to run the afs-newcell script, I only had to modify my /etc/hosts to add my FQDN as an alias for 127.0.0.1. However, running `afs-rootvol` fails: █[asus][~][0]$ sudo kinit root/admin Password for root/ad...@asus.erjoalgo.com: █[asus][~][25]$ sudo aklog -d Authenticating to cell asus.erjoalgo.com (server asus.erjoalgo.com). Trying to authenticate to user's realm ASUS.ERJOALGO.COM. Getting tickets: afs/asus.erjoalgo....@asus.erjoalgo.com We've deduced that we need to authenticate to realm ASUS.ERJOALGO.COM. Getting tickets: afs/asus.erjoalgo....@asus.erjoalgo.com Getting tickets: a...@asus.erjoalgo.com Using Kerberos V5 ticket natively About to resolve name root.admin to id in cell asus.erjoalgo.com. Id 1 Setting tokens. root.admin @ asus.erjoalgo.com █[asus][~][16]$ sudo afs-rootvol --requirements-met --server asus.erjoalgo.com What partition? [a] vos create asus.erjoalgo.com a root.cell -localauth Volume 536870915 created on partition /vicepa of asus.erjoalgo.com fs mkm /afs/asus.erjoalgo.com/.root.afs root.afs -rw fs: You don't have the required access rights on '/afs/ asus.erjoalgo.com/.root.afs' Failed: 256 Root volume setup failed, ABORTING vos remove asus.erjoalgo.com a root.cell -localauth Volume 536870915 on partition /vicepa server asus deleted █[asus][~][0]$ sudo kinit root/admin Password for root/ad...@asus.erjoalgo.com: █[asus][~][130]$ sudo aklog █[asus][~][4]$ sudo afs-rootvol --requirements-met --server asus.erjoalgo.com --partition=a vos create asus.erjoalgo.com a root.cell -localauth Volume 536870918 created on partition /vicepa of asus.erjoalgo.com fs sa /afs system:anyuser rl fs:'/afs': Connection timed out Failed: 256 Root volume setup failed, ABORTING vos remove asus.erjoalgo.com a root.cell -localauth Volume 536870918 on partition /vicepa server asus deleted █[asus][~][0]$ ls /afs I don't understand what this means: fs: You don't have the required access rights on '/afs/ asus.erjoalgo.com/.root.afs' sudo klist shows that the default principal is the root/admin principal specified earlier when running afs-newcell: █[asus][~][130]$ sudo klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root/ad...@asus.erjoalgo.com Valid starting Expires Service principal 06/02/2024 11:43:36 06/02/2024 21:43:36 krbtgt/ asus.erjoalgo....@asus.erjoalgo.com 06/02/2024 11:44:32 06/02/2024 21:43:36 a...@asus.erjoalgo.com █[asus][~][0]$ I also don't understand the connection-timed out: fs:'/afs': Connection timed out I found the error in this post: https://www.cs.cmu.edu/afs/gco/archive/pipermail/openafs-info/2003-October/011026.html But I'm not sure I understand the suggested solution that references bringing up a cache manager. I don't really understand what is going on. Perhaps it would be better to try to set things up step by step and avoid the debian scripts. Ernesto On Sun, Jun 2, 2024 at 9:12 AM Dirk Heinrichs <dirk.heinri...@altum.de> wrote: > Ernesto Alfonso: > > > Now my problem is still understanding why `bos listkeys` now succeeds > > but returns an empty set when asetkey does list 4 keys. > > Because you deleted the wrong key. The AFS principal should be named > "afs/<domain>@<REALM>". Just follow the instructions in > https://docs.openafs.org/QuickStartUnix/HDRWQ50.html, under "Generating > the Cell's Kerberos V5 Keys", but replace "/usr/afs/etc" with > "/etc/openafs/server", which is used on Debian/Ubuntu, and you should be > all set. > > Also note that if you setup multiple servers, you only need to do the > kadmin part once, and copy the resulting rxkad.keytab (and probably > KeyFileExt) to all servers, since the kvno needs to be the same on all > servers, but exporting the key increases it. > > HTH... > > Dirk > > -- > Dirk Heinrichs <dirk.heinri...@altum.de> > Matrix-Adresse: @heini:chat.altum.de > GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 > Privacy Handbuch: https://www.privacy-handbuch.de > >