Re: AFS

To: debian-user@lists.debian.org
Subject: Re: AFS
From: David Z Maze <dmaze@debian.org>
Date: Fri, 08 Nov 2002 11:51:59 -0500
Message-id: <[🔎] y68y9849f80.fsf@multics.mit.edu>
In-reply-to: <[🔎] 20021108081639.GA16025@pindad.com> (Oki DZ's message of "Fri, 8 Nov 2002 15:16:39 +0700")
References: <[🔎] 20021108081639.GA16025@pindad.com>

Oki DZ <okidz@pindad.com> writes:
> I'm trying to have openafs-fileserver & openafs-client running on my
> system. I can get both running, but I have problems in using pts.
> I already set the /etc/openafs/server/KeyFile using asetkey with the
> keytab retrieved from the Kerberos server (kadmin.local; ktadd -k
> /tmp/afs.keytab afs; asetkey add, with noticing the knvo from ktadd).
> Unfortunately, I have the following:
>
> root@okidz:~# kinit afs
> Password for afs@PINDAD.CO.ID: 
> root@okidz:~# aklog
> root@okidz:~# tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for afs@pindad.co.id [Expires Nov  9 01:07]
>    --End of list--
> root@okidz:~# pts listentries
> Name                          ID  Owner Creator
> pts: ticket contained unknown key version number ; unable to list entries
>
> Question is, what unknown key?
>
> BTW, I noticed also that when a keytab had been retrieved from the
> Kerberos server (using that ktadd), the password of the principal got
> lost; I could no more doing kinit using the same password. I had to
> change it first, and then kinit. What gives?

It sounds like you're running into some Kerberos lossage.  Exporting a
keytab using kadmin also force-changes the key ("password") for that
principal.  The Kerberos server also maintains a revision number for
each principal ("kvno", for "key version number"); every time the key
changes, the kvno increments.

So, if what you're doing is something like this:

  kadmin (do ktadd to produce keytab)
  asetkey
  kpasswd (change key to something you know)
  kinit, etc.

Then you wind up putting a different key into the AFS server than
you're using for other things.

My impression is that you never actually want to 'kinit afs', though.
You should create a user principal instead, and add it to the AFS
system:administrators group, and then do things using that.  Reading
the documentation on http://www.openafs.org/, it looks like you want
to populate system:administrators before you start up the cell with
authorization checking turned on.  (The particular document I'm
looking at is the "AFS Quick Start Guide for UNIX".)

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to:

References:
- AFS
  - From: Oki DZ <okidz@pindad.com>

Prev by Date: Re: Network go boom
Next by Date: Help! IBM xSeries 360
Previous by thread: AFS
Next by thread: Error in options.php file after a squirrelmail security update
Index(es):
- Date
- Thread