Hi, although maybe a bit more complicated, I managed to make AFS client work with sshuttle (tproxy mode). Callbacks sent by the servers might be an issue, though.
Cheers, Andreas On Sun, 2025-06-29 at 20:25 -0400, Ernesto Alfonso wrote: > I have an AFS server at home that's not exposed to the public > internet. When I'm not home, occasionally I'd like to have secure > access to the file system. > > At first I tried to VPN into my home network to have access to the > AFS server as a local host, but I'm having trouble setting this up > right now for reasons not related to AFS--some openvpn server issue > where I'm able to establish the VPN connection but unable to see any > other hosts except the VPN server itself. > > My current attempt is to use SSH to forward all the relevant openafs > ports as local services, and then try to trick my AFS client into > connecting to 127.0.0.1. I'm forwarding the ports 88, 7000-7007, > using a command similar to this: > > ssh -N myhome.com -L 88:afsserver:88 -L 7000:afsserver:7000 -L > 7001:afsserver:7001 -L 7002:afsserver:7002 -L 7003:afsserver:7003 -L > 7004:afsserver:7004 -L 7005:afsserver:7005 -L 7006:afsserver:7006 -L > 7007:afsserver:7007 > > myhome.com is an intermediate host that exposes an SSH server, and > can locally access afsserver.local. The ports are forwarded to my > laptop's localhost. I then manipulate /etc/hosts to name 127.0.0.1 as > afsserver, and I also update CellServDB. > > After this, I try to run kinit myuser && aklog -d > > The kinit command succeeds, but aklog -d fails, curiously with exit > status 0. > > > $ aklog -d > Authenticating to cell afs.example.com (server afs.example.com). > Trying to authenticate to user's realm AFS.EXAMPLE.COM. > Getting tickets: afs/[email protected] > Using Kerberos V5 ticket natively > About to resolve name admin to id in cell afs.example.com. > Error -1 > Setting tokens. admin @ afs.example.com > █[laptop][Downloads][0]$ > > I'm also unable to read any AFS files: > > cat /afs/afs.example.com/public/hola > cat: /afs/afs.example.com/public/hola: Connection timed out > > How should human users of AFS interpret this "Error -1", and what can > I do about it? > > I would also welcome suggestions as to how to alternative ways to > achieve my original goal, though I wouldn't feel inclined to open up > all the AFS ports directly to the public. > > Thanks, > > Ernesto -- | Andreas Haupt | E-Mail: [email protected] | DESY, Zeuthen | WWW: http://www.zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen |
smime.p7s
Description: S/MIME cryptographic signature
