Re: [OpenAFS] Newbie Question
Gary Bowling wrote:
I'm a newbie to AFS, but have been an "IT guy" for a long time. Trying
to set this up in a lab to test to gain understanding of how to use
for one of my customers.
My server is CentOS 5 and I'm almost there, but stuck at the every
end. Here's what I've done and where I'm stuck.
- Installed all the appropriate kerberos and openafs tools via the rpm
repository, openafs version is 1.4.6.
- Set up krb5.conf as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = GBCO.US
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
GBCO.US = {
kdc = kerberos.gbco.us:88
admin_server = kerberos.gbco.us:749
default_domain = gbco.us
}
[domain_realm]
.gbco.us = GBCO.US
gbco.us = GBCO.US
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
afs_krb5 = {
GBCO.US = {
afs/GBCO.US = false
afs = false
}
}
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
- set up /var/kerberos/krb5kdc/kdc.conf as follows:
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
GBCO.US = {
#master_key_type = des3-hmac-sha1
master_key_type = des-cbc-crc
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-cr
c:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
- Set up /etc/pam.d/login and added the following line:
auth sufficient /usr/lib/security/pam_afs.so
try_first_pass ignore_root
- Ran kadmin.local -q "addprinc -randkey afs" - success!
- Ran kadmin.local -q "ktadd -e des-cbc-crc:afs3 afs" - Success! with
kvno number 3
- Ran asetkey add 3 /etc/krb5.keytab afs - Success!
- Edited /etc/sysconfig/openafs and added the BOSSERVER_ARGS=-noauth
line and started openafs-server - Success!
- Ran bos setcellname localhost gbco.us -noauth - Success and bos
listhosts localhost -noauth returns the cell name gbco.us and hostname
homepc.gbco.us which are both correct.
- Ran bos create -server homepc.gbco.us -instance ptserver -type
simple -cmd /usr/afs/bin/ptserver -cell gbco.us -noauth - Success!
- Ran kadmin.local -q "addprinc admin" - Success!
- Ran bos adduser homepc.gbco.us admin -cell gbco.us -noauth - Success
- Ran bos listkeys homepc.gbco.us -cell gbco.us -noauth - All looks
good as follows.
key 3 has cksum 2318139578
Keys last changed on Fri May 2 07:21:18 2008.
All done.
- Ran pts createuser -name admin -cell gbco.us -noauth - Success!
- Ran pts adduser admin system:administrators -cell gbco.us -noauth -
success
- Ran pts membership admin -cell gbco.us -noauth - Looks good with the
following results.
Groups admin (id: 1) is a member of:
system:administrators
- Ran bos create -server homepc.gbco.us -instance fs -type fs -cmd
/usr/afs/bin/fileserver -cmd /usr/afs/bin/volserver -cmd
/usr/afs/bin/salvager -cell gbco.us -noauth - Success!
- Ran bos create -server homepc.gbco.us -instance vlserver -type
simple -cmd /usr/afs/bin/vlserver -cell gbco.us -noauth - Success!
-Ran bos create -server homepc.gbco.us -instance buserver -type simple
-cmd /usr/afs/bin/buserver -cell gbco.us -noauth - Success!
- Created /vicepa mount point and mounted - looks good.
- Ran vos create -server homepc.gbco.us -partition /vicepa -name
root.afs -cell gbco.us -noauth - Success!
- Ran bos status homepc.gbco.us fs -long -noauth - Looks good with the
following results..
Instance fs, (type is fs) currently running normally.
Auxiliary status is: file server running.
Process last started at Fri May 2 09:25:37 2008 (2 proc starts)
Command 1 is '/usr/afs/bin/fileserver'
Command 2 is '/usr/afs/bin/volserver'
Command 3 is '/usr/afs/bin/salvager'
- Edited /etc/sysconfig/openafs and removed the "-noauth" - restarted
openafs-server in normal mode requiring authentication.
- Started client
- Ran kinit admin - put in pass - Success!
- Ran klist - with the following results:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/[EMAIL PROTECTED]
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
- Ran aklog - Success!
- Ran tokens with the following results
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for [EMAIL PROTECTED] [Expires May 3 09:34]
--End of list--
- Ran klist again and get
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EM
Re: [OpenAFS] Newbie Question
I found a bit more information that may point to my problem. In the
/var/log/krb5kdc.log log file I get the following errors. But I'm not
sure how to resolve.
May 02 11:19:26 homepc.gbco.us krb5kdc[2192](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16
tkt=16 ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
May 02 11:19:26 homepc.gbco.us krb5kdc[2192](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16
tkt=16 ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
afs/[EMAIL PROTECTED], Server not found in Kerberos database
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
afs/[EMAIL PROTECTED], Server not found in Kerberos database
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
afs/[EMAIL PROTECTED], Server not found in Kerberos database
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
afs/[EMAIL PROTECTED], Server not found in Kerberos database
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16 tkt=16
ses=1}, [EMAIL PROTECTED] for [EMAIL PROTECTED]
May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
{1}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16 tkt=16
ses=1}, [EMAIL PROTECTED] for [EMAIL PROTECTED]
Gary Bowling
GBCO.US
[EMAIL PROTECTED]
Steve Devine wrote:
Gary Bowling wrote:
I'm a newbie to AFS, but have been an "IT guy" for a long time.
Trying to set this up in a lab to test to gain understanding of how
to use for one of my customers.
My server is CentOS 5 and I'm almost there, but stuck at the every
end. Here's what I've done and where I'm stuck.
- Installed all the appropriate kerberos and openafs tools via the
rpm repository, openafs version is 1.4.6.
- Set up krb5.conf as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = GBCO.US
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
GBCO.US = {
kdc = kerberos.gbco.us:88
admin_server = kerberos.gbco.us:749
default_domain = gbco.us
}
[domain_realm]
.gbco.us = GBCO.US
gbco.us = GBCO.US
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
afs_krb5 = {
GBCO.US = {
afs/GBCO.US = false
afs = false
}
}
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
- set up /var/kerberos/krb5kdc/kdc.conf as follows:
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
GBCO.US = {
#master_key_type = des3-hmac-sha1
master_key_type = des-cbc-crc
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-cr
c:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
- Set up /etc/pam.d/login and added the following line:
auth sufficient /usr/lib/security/pam_afs.so
try_first_pass ignore_root
- Ran kadmin.local -q "addprinc -randkey afs" - success!
- Ran kadmin.local -q "ktadd -e des-cbc-crc:afs3 afs" - Success! with
kvno number 3
- Ran asetkey add 3 /etc/krb5.keytab afs - Success!
- Edited /etc/sysconfig/openafs and added the BOSSERVER_ARGS=-noauth
line and started openafs-server - Success!
- Ran bos setcellname localhost gbco.us -noauth - Success and bos
listhosts localhost -noauth returns the cell name gbco.us and
hostname homepc.gbco.us which are both correct.
- Ran bos create -server homepc.gbco.us -instance ptserver -type
simple -cmd /usr/afs/bin/ptserver -cell gbco.us -noauth - Success!
- Ran kadmin.local -q "addprinc admin" - Success!
- Ran bos adduser homepc.gbco.us admin -cell gbco.us -noauth - Success
- Ran bos listkeys homepc.gbco.us -cell gbco.us -noauth - All looks
good as follows.
key 3 has cksum 2318139578
Keys last changed on Fri May 2 07:21:18 2008.
All done.
- Ran pts createuser -name admin -cell gbco.us -noauth - Success!
- Ran pts adduser admin system:administrators -cell gbco.us -noauth -
success
- Ran pts membership admin -cell gbco.us -noauth - Looks good with
the follow
Re: [OpenAFS] Newbie Question
* Gary Bowling wrote:
> {1}) 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
> afs/[EMAIL PROTECTED], Server not found in Kerberos database
> May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes
Have a look at your dns setup you need forward rrs and ptr rrs to make
kerberos happy. Time has to be synchronized, too.
hth
--lars
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
* Steve Devine [2008-05-02 10:50:01 -0400]:
> Gary Bowling wrote:
> > [realms]
> >GBCO.US = {
> > #master_key_type = des3-hmac-sha1
> > master_key_type = des-cbc-crc
(Aside: why downgrade to single-DES here?)
> >- Edited /etc/sysconfig/openafs and added the BOSSERVER_ARGS=-noauth
> >line and started openafs-server - Success!
> >
> >- Ran bos setcellname localhost gbco.us -noauth - Success and bos
> >listhosts localhost -noauth returns the cell name gbco.us and hostname
> >homepc.gbco.us which are both correct.
> >
> >- Ran bos create -server homepc.gbco.us -instance ptserver -type
> >simple -cmd /usr/afs/bin/ptserver -cell gbco.us -noauth - Success!
> >
> >- Ran kadmin.local -q "addprinc admin" - Success!
> >
> >- Ran bos adduser homepc.gbco.us admin -cell gbco.us -noauth - Success
I think that one should answer Steve Devine's question.
> >
> >- Ran bos listkeys homepc.gbco.us -cell gbco.us -noauth - All looks
> >good as follows.
> > key 3 has cksum 2318139578
> > Keys last changed on Fri May 2 07:21:18 2008.
> > All done.
> >
> >- Ran pts createuser -name admin -cell gbco.us -noauth - Success!
> >
> >- Ran pts adduser admin system:administrators -cell gbco.us -noauth -
> >success
Unless I'm mistaken you could restart bos without -noauth already at
this point. Doing so would expose authentication issues early,
separating them from the question of whether /afs is writeable to
an administrator (if you started your client with -dynroot it won't
be).
> >- Ran pts membership admin -cell gbco.us -noauth - Looks good with the
> >following results.
> > Groups admin (id: 1) is a member of:
> > system:administrators
> >
> >- Ran bos create -server homepc.gbco.us -instance fs -type fs -cmd
> >/usr/afs/bin/fileserver -cmd /usr/afs/bin/volserver -cmd
> >/usr/afs/bin/salvager -cell gbco.us -noauth - Success!
> >
> >- Ran bos create -server homepc.gbco.us -instance vlserver -type
> >simple -cmd /usr/afs/bin/vlserver -cell gbco.us -noauth - Success!
> >
> >-Ran bos create -server homepc.gbco.us -instance buserver -type simple
> >-cmd /usr/afs/bin/buserver -cell gbco.us -noauth - Success!
> >
> >- Created /vicepa mount point and mounted - looks good.
> >
> >- Ran vos create -server homepc.gbco.us -partition /vicepa -name
> >root.afs -cell gbco.us -noauth - Success!
> >
> >- Ran bos status homepc.gbco.us fs -long -noauth - Looks good with the
> >following results..
> > Instance fs, (type is fs) currently running normally.
> > Auxiliary status is: file server running.
> > Process last started at Fri May 2 09:25:37 2008 (2 proc starts)
> > Command 1 is '/usr/afs/bin/fileserver'
> > Command 2 is '/usr/afs/bin/volserver'
> > Command 3 is '/usr/afs/bin/salvager'
> >
> >- Edited /etc/sysconfig/openafs and removed the "-noauth" - restarted
> >openafs-server in normal mode requiring authentication.
> >
> >- Started client
> >
> >- Ran kinit admin - put in pass - Success!
> >
> >- Ran klist - with the following results:
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: [EMAIL PROTECTED]
> >
> > Valid starting ExpiresService principal
> > 05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/[EMAIL PROTECTED]
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> >
> >- Ran aklog - Success!
> >
> >- Ran tokens with the following results
> > Tokens held by the Cache Manager:
> >
> > User's (AFS ID 1) tokens for [EMAIL PROTECTED] [Expires May 3 09:34]
> > --End of list--
> >
> >- Ran klist again and get
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: [EMAIL PROTECTED]
> >
> > Valid starting ExpiresService principal
> > 05/02/08 09:34:21 05/03/08 09:34:21 krbtgt/[EMAIL PROTECTED]
> > 05/02/08 09:35:38 05/03/08 09:34:21 [EMAIL PROTECTED]
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> >
> >- Ran fs checkvolumes - with the following results.
> > All volumeID/name mappings checked.
> >
> >- Ran fs setacl /afs system:anyuser rl - Received the following error...
> >fs: You don't have the required access rights on '/afs'
Are you using -dynroot on the client by any chance?
> >I've done a number of subsequent things in kadmin and other places,
> >but am at a loss as to how to resolve. Any help would be appreciated.
With -dynroot the way to manipulate root.afs is to first create and set
up root.cell (which will automatically appear at /afs/.gbco.us, at least
if your client-side CellServDB is properly set up), then mount root.afs
somewhere under it, set it up and unmount it. Alternatively, you could
run your client without -dynroot while you set up root.afs.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
On Fri, May 2, 2008 at 12:26 PM, Gary Bowling <[EMAIL PROTECTED]> wrote:
>
> I found a bit more information that may point to my problem. In the
> /var/log/krb5kdc.log log file I get the following errors. But I'm not sure
> how to resolve.
>
>
> May 02 11:19:26 homepc.gbco.us krb5kdc[2192](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16 tkt=16
> ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
> May 02 11:19:26 homepc.gbco.us krb5kdc[2192](info): AS_REQ (7 etypes {18 17
> 16 23 1 3 2}) 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16 tkt=16
> ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
> May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes {1})
> 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
> afs/[EMAIL PROTECTED], Server not found in Kerberos database
> May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes {1})
> 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
> afs/[EMAIL PROTECTED], Server not found in Kerberos database
> May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes {1})
> 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
> afs/[EMAIL PROTECTED], Server not found in Kerberos database
> May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes {1})
> 10.0.0.150: UNKNOWN_SERVER: authtime 1209745166, [EMAIL PROTECTED] for
> afs/[EMAIL PROTECTED], Server not found in Kerberos database
> May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes {1})
> 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16 tkt=16 ses=1},
> [EMAIL PROTECTED] for [EMAIL PROTECTED]
> May 02 11:19:38 homepc.gbco.us krb5kdc[2192](info): TGS_REQ (1 etypes {1})
> 10.0.0.150: ISSUE: authtime 1209745166, etypes {rep=16 tkt=16 ses=1},
> [EMAIL PROTECTED] for [EMAIL PROTECTED]
This is normal. You created the afs principal as "afs", not
"afs/". It [whatever you are using to get tokens] is
trying with the cellname first, and then falling back to just
"[EMAIL PROTECTED]" and succeeds.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Ok, after being side tracked by real work for an hour or so I'm back to looking at this. Here are some answers to a few of the responses. Lars - Thanks, I had no idea DNS needed anything. I have everything in /etc/hosts right now. Will that work or do I need DNS entries? Time is sync'd already. Sergio - No real reason to downgrade to single-des, I wasn't even thinking as that set up was just copied from some place I found... If I get it all working I'll go back and change that to 3des. As for -dynroot, I do not have that on the client, the only client option is -fakestat. Christopher - Thanks for that, at least I can stop looking at those log entries :) Here is the output of vos listvldb -noauth VLDB entries for all servers root.afs RWrite: 536870912 number of sites -> 1 server homepc.gbco.us partition /vicepa RW Site Total entries: 1 Kevin - Thanks for clarifying the log entries. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
One more piece of info, Steve asked what the output of klog admin was, which might point to something. klog admin Password: Unable to authenticate to AFS because Authentication Server was unavailable. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Gary Bowling <[EMAIL PROTECTED]> wrote: > Ok, after being side tracked by real work for an hour or so I'm back > to looking at this. Here are some answers to a few of the responses. > > Lars - Thanks, I had no idea DNS needed anything. I have everything in > /etc/hosts right now. Will that work or do I need DNS entries? Time is > sync'd already. I don't think DNS is an issue at this point, although it might be. vos listaddrs -nore output would be handy to see. > Sergio - No real reason to downgrade to single-des, I wasn't even > thinking as that set up was just copied from some place I found... If > I get it all working I'll go back and change that to 3des. As for > -dynroot, I do not have that on the client, the only client option is > -fakestat. > > Christopher - Thanks for that, at least I can stop looking at those > log entries :) Here is the output of vos listvldb -noauth > VLDB entries for all servers > > root.afs >RWrite: 536870912 >number of sites -> 1 > server homepc.gbco.us partition /vicepa RW Site > > Total entries: 1 vos create root.cell wait a few minutes, restart your AFS client, and then try the fs sa command again. Just in case -dynroot is on this will allow you to at least see something in /afs assuming you can get tokens with aklog. The other question is if afsd is even loading properly. Any dmesg output when afsd starts?
Re: [OpenAFS] Newbie Question
Gary Bowling wrote: One more piece of info, Steve asked what the output of klog admin was, which might point to something. klog admin Password: Unable to authenticate to AFS because Authentication Server was unavailable. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info what does vos listvldb 'servername' and vols listvol 'servername' get you? -- Steve Devine E-Mail & Storage Academic Techical Services Michigan State University 313 Computer Center East Lansing, MI 48824-1042 1-517-432-7327 Baseball is ninety percent mental; the other half is physical. - Yogi Berra ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Here are the results, vos listaddrs -nore vsu_ClientInit: Could not get afs tokens, running unauthenticated. If I do it with the "-noauth" I get no return. vos listaddrs -nore -noauth Gary Christopher D. Clausen wrote: Gary Bowling <[EMAIL PROTECTED]> wrote: Ok, after being side tracked by real work for an hour or so I'm back to looking at this. Here are some answers to a few of the responses. Lars - Thanks, I had no idea DNS needed anything. I have everything in /etc/hosts right now. Will that work or do I need DNS entries? Time is sync'd already. I don't think DNS is an issue at this point, although it might be. vos listaddrs -nore output would be handy to see. Sergio - No real reason to downgrade to single-des, I wasn't even thinking as that set up was just copied from some place I found... If I get it all working I'll go back and change that to 3des. As for -dynroot, I do not have that on the client, the only client option is -fakestat. Christopher - Thanks for that, at least I can stop looking at those log entries :) Here is the output of vos listvldb -noauth VLDB entries for all servers root.afs RWrite: 536870912 number of sites -> 1 server homepc.gbco.us partition /vicepa RW Site Total entries: 1 vos create root.cell wait a few minutes, restart your AFS client, and then try the fs sa command again. Just in case -dynroot is on this will allow you to at least see something in /afs assuming you can get tokens with aklog. The other question is if afsd is even loading properly. Any dmesg output when afsd starts?
Re: [OpenAFS] Newbie Question
On Fri, May 2, 2008 at 2:22 PM, Gary Bowling <[EMAIL PROTECTED]> wrote: > > One more piece of info, Steve asked what the output of klog admin was, > which might point to something. > > klog admin > Password: > Unable to authenticate to AFS because Authentication Server was > unavailable. klog is a KAserver thingy. The "Authentication Server" it's looking for is the KAserver, which you should not be running, unless you're hoping to get broken into. "klist admin" would be the right thing to look at. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Gary Bowling <[EMAIL PROTECTED]> wrote: > klog admin > Password: > Unable to authenticate to AFS because Authentication Server was > unavailable. I'm pretty sure you aren't using kaserver and as such klog won't work (without a ka-forwarder or aother such service running.) You want to use aklog and aklog -d output may be useful to debug, although I don't think that you are seeing problems with your tokens not working.
Re: [OpenAFS] Newbie Question
Here are the outputs of several.. First this command and response: vos listvldb vsu_ClientInit: Could not get afs tokens, running unauthenticated. VLDB entries for all servers root.afs RWrite: 536870912 number of sites -> 1 server homepc.gbco.us partition /vicepa RW Site Total entries: 1 The same command with the host name.. vos listvldb homepc.gbco.us vsu_ClientInit: Could not get afs tokens, running unauthenticated. VLDB: no such entry The same command with "localhost" for the hostname. vos listvldb localhost vsu_ClientInit: Could not get afs tokens, running unauthenticated. VLDB: no such entry And the listvol command with the hostname. This command gives the same results with localhost and an error if you don't use a server name. vos listvol homepc.gbco.us vsu_ClientInit: Could not get afs tokens, running unauthenticated. Total number of volumes on server homepc.gbco.us partition /vicepa: 1 root.afs 536870912 RW 2 K On-line Total volumes onLine 1 ; Total volumes offLine 0 ; Total busy 0 Steve Devine wrote: Gary Bowling wrote: One more piece of info, Steve asked what the output of klog admin was, which might point to something. klog admin Password: Unable to authenticate to AFS because Authentication Server was unavailable. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info what does vos listvldb 'servername' and vols listvol 'servername' get you? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Ok, I appear to be beating my head here.. What is the best way to clean this thing and re-start? I think I can get rid of all the AFS, but not sure about the krb stuff. Is there a convenient way to delete all the kerberos pieces and start fresh? I've done so many things now, I may have it all fouled up beyond repair :) Hey this is what labs are for! Thanks, Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Ok, maybe a few more tries.. Is there something wrong with my REALM or my cell name? Something doesn't match correctly, but I'm not sure what.. Why do I get this, if I do a "klist admin" or a "klist [EMAIL PROTECTED]" I get the following: klist admin klist: No credentials cache found (ticket cache FILE:admin) But if I just do a "klist" I get the following, which seems to be returning info about admin.. klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 05/02/08 15:05:58 05/03/08 15:05:58 krbtgt/[EMAIL PROTECTED] 05/02/08 15:09:05 05/03/08 15:05:58 [EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Gary Bowling wrote: 05/02/08 15:09:05 05/03/08 15:05:58 [EMAIL PROTECTED] I strongly recommend against the use of the [EMAIL PROTECTED] for of the afs service ticket name in place of afs/[EMAIL PROTECTED] since [EMAIL PROTECTED] can be any realm. Using afs/[EMAIL PROTECTED] permits the realm to provide service tickets for multiple cells. And it will also provide faster response to AFS clients which will ask for afs/[EMAIL PROTECTED] before [EMAIL PROTECTED] Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Newbie Question
Gary Bowling wrote: Ok, maybe a few more tries.. Is there something wrong with my REALM or my cell name? Something doesn't match correctly, but I'm not sure what.. Why do I get this, if I do a "klist admin" or a "klist [EMAIL PROTECTED]" I get the following: klist admin klist: No credentials cache found (ticket cache FILE:admin) the klist command normally gets run by itself if there is currently a kerberos ticket in the cache it will tell you what it is. So what you are describing is normal behavior. But if I just do a "klist" I get the following, which seems to be returning info about admin.. klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 05/02/08 15:05:58 05/03/08 15:05:58 krbtgt/[EMAIL PROTECTED] 05/02/08 15:09:05 05/03/08 15:05:58 [EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Again normal behavior. If you can then run aklog you should get a afs token this token is what gives you admin rights within the cell. once you sucessfully run aklog (again by itself) you can run "tokens" and see what your tokens are. So like this: > kinit sparty Password for [EMAIL PROTECTED]: > aklog > tokens Tokens held by the Cache Manager: User's (AFS ID 09) tokens for [EMAIL PROTECTED] [Expires May 3 22:12] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info -- Steve Devine Academic Technology Services 313 Computer Center Michigan State University East Lansing, MI 48824-1042 1-517-432-7327 Baseball is ninety percent mental; the other half is physical. - Yogi Berra ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie Question
Thanks to everyone for the suggestions and help last week! I finally resolved my issue, although I'm not sure what caused it. I'm sure it was "operator error" just not sure when/where. The resolution turned out to be as simple as deleting the afs key with the command. asetkey remove 3 /etc/krb5.keytab afs Removing it from the krb database with kadmin.local -q "ktrem afs" re-adding it with kadmin.local -q "ktadd -e des-cbc-crc:afs3 afs" which gave me a number "10" and adding the new one back with asetkey add 10 /etc/krb5.keytab afs Alls seems well now, on to setting up my authentication server. Gary ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie question.
On Mon, Jul 21, 2008 at 11:25:13AM +0100, Max Lock wrote: > >Hi Folks, >I'm very near completing my first openafs setup. I've installed the >MIT kerberos 5 service and the openafs service on seperate debian >machines, as I plan to add extra AFS cells in the near future. having >looked at two howto's.. >* [1]http://www.gentoo.org/doc/en/openafs.xml >* [2]http://www.scode.org/afs/openafs-install.txt >I'm able to obtain kerberos keys on a client just fine. However I'm >unsure how to 'link' openafs and kerberos together. Both howto's >assume a single server is running both systems and use asetkey to copy >a kerberos key into afs (asetkey add /etc/krb5.keytab afs) so I >copied over the keytab file from the kerberos server to complete this >step. Was this correct? Yes, that will work. asetkey reads the principal from the keytab and turns it into a KeyFile for use by the AFS server processes. Essentially, take a copy of whatever keytab you put the afs principal in, put it on one of your AFS server machines, and run asetkey. Note that you only have to do this once, after the KeyFile is created you can simply copy that over to any new AFS server machines. Note that you most likely do not want to call your principal "[EMAIL PROTECTED]" but rather "afs/[EMAIL PROTECTED]" --- the latter is the modern convention, is tried first by most things nowadays, and facilitates having multiple AFS cells serviced by a single Kerberos realm. -- Thomas L. Kula | [EMAIL PROTECTED] | http://kula.tproa.net/ Mathom House in Midtown, The People's Republic of Ames ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie question.
Max Lock schrieb: > * http://www.gentoo.org/doc/en/openafs.xml Please note that this is outdated since years. Better look at the HowTo on gentoo-wiki.com, but make sure to read the "Discussion" tab, too. Bye... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Newbie question.
Dirk Heinrichs schrieb: > Max Lock schrieb: > >> * http://www.gentoo.org/doc/en/openafs.xml > > Please note that this is outdated since years. Better look at the HowTo > on gentoo-wiki.com, but make sure to read the "Discussion" tab, too. Just found out that the old HowTo on gentoo-wiki.com has been replaced with a new one, which uses MIT Kerberos5 from the beginning (the old one still used kaserver). So forget about the "Discussion" tab, it doesn't contain anything, yet :-) Here's the link: http://gentoo-wiki.com/HOWTO_OpenAFS Bye... Dirk signature.asc Description: This is a digitally signed message part.
Re: [OpenAFS] newbie question
[EMAIL PROTECTED] writes: > hello, > > when faced with a salvager hung for no apparent reason, is it appropriate to > delete the file /usr/afs/local/SALVAGER.fs and restart the bos server? If you just kill your salvager the bosserver will start a new one. are you sure the salvager is hung ? an a big and slow disk it can take many hours to complete salvage. /Jimmy ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] newbie question -> libafs.ko is same as openafs.ko ?
Quoting user007 user <[EMAIL PROTECTED]>: Hi ALL, i'm compiling openafs from sources . after "make install", I get the libafs.ko and not openafs.ko ?? Is this expected .. ??? This module is same as openafs.ko ?? and it does not makes any difference in functioning ?? Yes. The RPM SPEC applies a patch to change the name from libafs.ko to openafs.ko. They are effectively the same. Thanks !! -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
