Re: AFS
Oki DZ <okidz@pindad.com> writes:
> I'm trying to have openafs-fileserver & openafs-client running on my
> system. I can get both running, but I have problems in using pts.
> I already set the /etc/openafs/server/KeyFile using asetkey with the
> keytab retrieved from the Kerberos server (kadmin.local; ktadd -k
> /tmp/afs.keytab afs; asetkey add, with noticing the knvo from ktadd).
> Unfortunately, I have the following:
>
> root@okidz:~# kinit afs
> Password for afs@PINDAD.CO.ID:
> root@okidz:~# aklog
> root@okidz:~# tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for afs@pindad.co.id [Expires Nov 9 01:07]
> --End of list--
> root@okidz:~# pts listentries
> Name ID Owner Creator
> pts: ticket contained unknown key version number ; unable to list entries
>
> Question is, what unknown key?
>
> BTW, I noticed also that when a keytab had been retrieved from the
> Kerberos server (using that ktadd), the password of the principal got
> lost; I could no more doing kinit using the same password. I had to
> change it first, and then kinit. What gives?
It sounds like you're running into some Kerberos lossage. Exporting a
keytab using kadmin also force-changes the key ("password") for that
principal. The Kerberos server also maintains a revision number for
each principal ("kvno", for "key version number"); every time the key
changes, the kvno increments.
So, if what you're doing is something like this:
kadmin (do ktadd to produce keytab)
asetkey
kpasswd (change key to something you know)
kinit, etc.
Then you wind up putting a different key into the AFS server than
you're using for other things.
My impression is that you never actually want to 'kinit afs', though.
You should create a user principal instead, and add it to the AFS
system:administrators group, and then do things using that. Reading
the documentation on http://www.openafs.org/, it looks like you want
to populate system:administrators before you start up the cell with
authorization checking turned on. (The particular document I'm
looking at is the "AFS Quick Start Guide for UNIX".)
--
David Maze dmaze@debian.org http://people.debian.org/~dmaze/
"Theoretical politics is interesting. Politicking should be illegal."
-- Abra Mitchell
Reply to:
- References:
- AFS
- From: Oki DZ <okidz@pindad.com>