Re: [OpenAFS] Re: Trying OpenAFS, and missing
> Just to be sure that we have this, can you say what libkrb5 > implementation you were using for the client commands? If this was a > problem with a libkrb5 implementation choosing DES from the local > keytab, I'd like to just keep track of what those are. Can you 'ldd > /path/to/bos' and just say what libkrb5 it is using? I haven't been ignoring you. I blew away my sandbox environment after I had it working successfully, and haven't threw up the second test one yet. I will let you know which libkrb5 it is using as soon as I get that going. Hopefully this week sometime. -Kris
[OpenAFS] Re: Trying OpenAFS, and missing
On Thu, 9 Jan 2014 20:55:06 -0600 (CST) Kristofer Pettijohn wrote: > Sorry for the top-post, but I just wanted to let you know my discovery. > > I followed the exact same instructions from the Debian tutorial wiki > page ( https://openafs.dk/doku.php?id=server:openafs ), except I > removed the DES keys and left myself with the two ARCFOUR keys I'm not quite sure how/why you have 2 arcfour keys, but in the previous emails I believe you had AES keys as well. If you can run with AES, I would do so, as it is stronger. Some things will not support that, but if you were able to get them before... > All of the instructions then worked as expected, and I now have > successfully created a cell. Just to be sure that we have this, can you say what libkrb5 implementation you were using for the client commands? If this was a problem with a libkrb5 implementation choosing DES from the local keytab, I'd like to just keep track of what those are. Can you 'ldd /path/to/bos' and just say what libkrb5 it is using? -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: Trying OpenAFS, and missing
Sorry for the top-post, but I just wanted to let you know my discovery. I followed the exact same instructions from the Debian tutorial wiki page ( https://openafs.dk/doku.php?id=server:openafs ), except I removed the DES keys and left myself with the two ARCFOUR keys Keytab name: WRFILE:/etc/openafs/server/rxkad.keytab KVNO Principal -- 1 afs/ad.domain@ad.domain.com (arcfour-hmac) 1 afs/ad.domain@ad.domain.com (arcfour-hmac) All of the instructions then worked as expected, and I now have successfully created a cell. Thank you everyone for your assistance. I'm beginning to understand how all of the OpenAFS pieces work together. We currently have 14 file servers (a combination of Samba and Windows), all part of an Active Directory domain. Some of the Windows file servers use PeerSync to replicate between each other, simply to ensure local site access is fast for a couple of departments, and the rest are stand-alone at each site. I am looking forward to test AFS and see if it can provide a good replacement for a single namespace and using read-only replicas to ensure fast access to certain file sets for departments that are overly picky. - Original Message - From: "Andrew Deason" To: openafs-info@openafs.org Sent: Monday, January 6, 2014 12:48:11 PM Subject: [OpenAFS] Re: Trying OpenAFS, and missing On Wed, 1 Jan 2014 18:49:16 -0600 (CST) Kristofer Pettijohn wrote: > I re-ran through the process, following the Debian instructions ( > https://openafs.dk/doku.php?id=server:openafs ), and I am encountering > the same error. I cannot figure this one out. If you're still looking to solve this: > root@ueafs1:/var/log/openafs# bos setcellname -server ueafs1.ad.domain.com > -name ad.domain.com -localauth > bos: failed to set cell (ticket contained unknown key version number) Let's stop right here. Regardless of what's on the KDC, using -localauth like this should always work. This command should not involve the KDC at all; we are constructing credentials using the rxkad.keytab file on disk, and the server using (presumably) the same rxkad.keytab file on disk. A first sanity check is to strace the 'bosserver' and 'bos' processes to see if they are actually reading the rxkad.keytab file that you think they are. You can run bosserver outside of the init script as root with no arguments; there's nothing much special about it, just make sure there's no other bosserver already running when you do it. Send the bosserver process a QUIT signal to shut it down gracefully outside of the init script. Another sanity check is to check that the bosserver process and the 'bos' binary are linked to libkrb5. Just check e.g. 'ldd /usr/sbin/bosserver'. If either of them are not, that's a problem (though that's not your fault). Anyway, assuming that all makes sense, another possible source of confusion: Your rxkad.keytab file posted earlier contains DES keys in it; remove them. The server processes ignore DES keys in the rxkad.keytab file, and clients should as well, but this is not always true with some krb5 implementations; it's better to just be safe and remove them. You can alter a keytab with ktutil; just check it with klist as you've been doing afterwards to make sure it contains what you think it does. Also keep in mind that a running server does not immediately detect changes to rxkad.keytab immediately. You need to 'touch CellServDB' for it to pick up changes; or completely restarting the server processes as I think you've been doing is fine, too. So, if you can get strace proof that both processes are using the same rxkad.keytab (and it's the one you expect), and it contains no DES keys, and you still get that error with 'bos -localauth', then that is indeed quite strange, so let us know. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: Trying OpenAFS, and missing
On Wed, 1 Jan 2014 18:49:16 -0600 (CST) Kristofer Pettijohn wrote: > I re-ran through the process, following the Debian instructions ( > https://openafs.dk/doku.php?id=server:openafs ), and I am encountering > the same error. I cannot figure this one out. If you're still looking to solve this: > root@ueafs1:/var/log/openafs# bos setcellname -server ueafs1.ad.domain.com > -name ad.domain.com -localauth > bos: failed to set cell (ticket contained unknown key version number) Let's stop right here. Regardless of what's on the KDC, using -localauth like this should always work. This command should not involve the KDC at all; we are constructing credentials using the rxkad.keytab file on disk, and the server using (presumably) the same rxkad.keytab file on disk. A first sanity check is to strace the 'bosserver' and 'bos' processes to see if they are actually reading the rxkad.keytab file that you think they are. You can run bosserver outside of the init script as root with no arguments; there's nothing much special about it, just make sure there's no other bosserver already running when you do it. Send the bosserver process a QUIT signal to shut it down gracefully outside of the init script. Another sanity check is to check that the bosserver process and the 'bos' binary are linked to libkrb5. Just check e.g. 'ldd /usr/sbin/bosserver'. If either of them are not, that's a problem (though that's not your fault). Anyway, assuming that all makes sense, another possible source of confusion: Your rxkad.keytab file posted earlier contains DES keys in it; remove them. The server processes ignore DES keys in the rxkad.keytab file, and clients should as well, but this is not always true with some krb5 implementations; it's better to just be safe and remove them. You can alter a keytab with ktutil; just check it with klist as you've been doing afterwards to make sure it contains what you think it does. Also keep in mind that a running server does not immediately detect changes to rxkad.keytab immediately. You need to 'touch CellServDB' for it to pick up changes; or completely restarting the server processes as I think you've been doing is fine, too. So, if you can get strace proof that both processes are using the same rxkad.keytab (and it's the one you expect), and it contains no DES keys, and you still get that error with 'bos -localauth', then that is indeed quite strange, so let us know. -- Andrew Deason adea...@sinenomine.net ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info