Bug#322638: debugging openafs server config

[Faheem Mitha]

Package: openafs
Severity: normal


Hi,

This reports follows the config session described in
/usr/share/doc/openafs-*/configuration-transcript.txt.gz

Comments will be enclosed by *'s.

General comment before starting: the /configuration-transcript.txt.gz is
good and all, but it would be even better to have a more manual approach,
and have people test the configuration as they go along. See, for example,
the Gentoo equivalent (http://www.gentoo.org/doc/en/openafs.xml), which is
rather manual, but has a ton of verification, which I think is good.

The log was made using screen, initializing with 'screen -L', and setting
debconf to readline mode. The screen logs have lots of ^M's at the end, and
produces other garbage, which I've mostly removed. If you can suggest better
ways of logging a terminal session, let me know.

I'll start off my with /etc/hosts file.

/etc/hosts begins*****************************************
127.0.0.1       localhost
152.3.172.51    riverside.dulci.biostat.duke.edu   riverside

# The following lines are desirable for IPv6 capable hosts
# (added automatically by netbase upgrade)

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
/etc/hosts ends******************************************

Ok, now the configuration transcript.

comment ends**************************************************************

configuration transcript begins*******************************************

riverside:/home/faheem# apt-get -q install openafs-dbserver openafs-krb5 
krb5-admin-server
Reading Package Lists...
Building Dependency Tree...
The following extra packages will be installed:
  krb5-config krb5-kdc krb5-user openafs-client openafs-fileserver
The following NEW packages will be installed:
  krb5-admin-server krb5-config krb5-kdc krb5-user openafs-client 
openafs-dbserver openafs-fileserver openafs-krb5
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 3275kB of archives.
After unpacking 7786kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://ftp.us.debian.org sarge/main krb5-config 1.6 [10.2kB]
Get:2 http://ftp.us.debian.org sarge/main openafs-client 1.3.81-3sarge1 [1547kB]
Get:3 http://security.debian.org stable/updates/main krb5-user 1.3.6-2sarge2 
[127kB]
Get:4 http://security.debian.org stable/updates/main krb5-kdc 1.3.6-2sarge2 
[115kB]
Get:5 http://security.debian.org stable/updates/main krb5-admin-server 
1.3.6-2sarge2 [94.8kB]
Get:6 http://ftp.us.debian.org sarge/main openafs-fileserver 1.3.81-3sarge1 
[783kB]
Get:7 http://ftp.us.debian.org sarge/main openafs-dbserver 1.3.81-3sarge1 
[467kB]
Get:8 http://ftp.us.debian.org sarge/main openafs-krb5 1.3-10.1 [129kB]
Fetched 3275kB in 5s (550kB/s)
[snip]

Configuring krb5-config
-----------------------

  When users attempt to use Kerberos and specify a principal or user
  name without specifying what administrative Kerberos realm that
  principal belongs to, the system appends the default realm.
  Normally default realm is the upper case version of the local DNS
  domain.

What is the default Kerberos version 5 realm? DULCI.BIOSTAT.DUKE.EDU


Configuring krb5-kdc
--------------------
By default, Kerberos4 requests are allowed from principals that do not require 
preauthentication.  This allows Kerberos4 services 
to exist while requiring most users to use Kerberos5 clients to get their 
initial tickets.  These tickets can then be converted to
Kerberos4 tickets. Alternatively, the mode can be set to full, allowing 
Kerberos4 to get initial tickets even when 
preauthentication would normally be required, or to disable, which will disable 
all Kerberos4 support.

  1. disable  2. full  3. nopreauth  4. none

Kerberos4 compatibility mode to use: 3

Configuring krb5-admin-server
-----------------------------

Setting up a Kerberos Realm

This package contains the administrative tools necessary to run on the Kerberos 
master server.  However, installing this package 
does not automatically set up a Kerberos realm.  Doing so requires entering 
passwords and as such is not well-suited for package 
installation.  To create the realm, run the krb5_newrealm command. You may also 
wish to read /usr/share/doc/krb5-kdc/README.KDC and the administration guide 
found in the krb5-doc package.
Don't forget to set up DNS information so your clients can find your KDC and 
admin servers.  Doing so is documented in the 
administration guide.

Configuring openafs-client
--------------------------

AFS filespace is organized into cells or administrative domains. Each 
workstation belongs to one cell.  Usually the cell is the DNS
domain name of the site.

 What AFS cell does this workstation belong to? dulci.biostat.duke.edu

AFS uses an  area of the disk to cache remote files for faster access.  This 
cache will be mounted on /var/cache/openafs.  It is 
important that the cache not overfill the partition it is located on.  Often, 
people find it useful to dedicate a partition to 
their AFS cache.

How large is your AFS cache (kB)? 50000

/afs generally contains an entry for each cell that a client can talk to. 
Traditionally, these entries were generated by servers in
the client's home cell.  However, OpenAFS clients can generate the contents of 
/afs dynamically based on the contents of 
/etc/openafs/CellServDB and DNS.

If you generate /afs dynamically, you may need to create /etc/openafs/CellAlias 
to include aliases for common cells. DO NOT SELECT 
THIS OPTION IF THIS MACHINE IS THE FIRST DATABASE SERVER IN A NEW CELL .
Dynamically generate the contents of /afs? no

Selecting previously deselected package krb5-config.
(Reading database ... 79883 files and directories currently installed.)
Unpacking krb5-config (from .../krb5-config_1.6_all.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.3.6-2sarge2_i386.deb) ...
Selecting previously deselected package krb5-kdc.
Unpacking krb5-kdc (from .../krb5-kdc_1.3.6-2sarge2_i386.deb) ...
Selecting previously deselected package krb5-admin-server.
Unpacking krb5-admin-server (from .../krb5-admin-server_1.3.6-2sarge2_i386.deb) 
...
Selecting previously deselected package openafs-client.
Unpacking openafs-client (from .../openafs-client_1.3.81-3sarge1_i386.deb) ...
Selecting previously deselected package openafs-fileserver.
Unpacking openafs-fileserver (from 
.../openafs-fileserver_1.3.81-3sarge1_i386.deb) ...
Selecting previously deselected package openafs-dbserver.
Unpacking openafs-dbserver (from .../openafs-dbserver_1.3.81-3sarge1_i386.deb) 
...
Selecting previously deselected package openafs-krb5.
Unpacking openafs-krb5 (from .../openafs-krb5_1.3-10.1_i386.deb) ...
Setting up krb5-config (1.6) ...
Configuring krb5-config
-----------------------

Enter the hostnames of Kerberos servers in the DULCI.BIOSTAT.DUKE.EDU Kerberos 
realm separated by spaces.

What are the Kerberos servers for your realm? 
riverside.dulci.biostat.duke.edu


Enter the hostname of the administrative (password changing) server for  the 
DULCI.BIOSTAT.DUKE.EDU  Kerberos realm.

What is the administrative  server for your Kerberos realm? 
riverside.dulci.biostat.duke.edu

Setting up krb5-user (1.3.6-2sarge2) ...
Setting up krb5-kdc (1.3.6-2sarge2) ...

Setting up krb5-admin-server (1.3.6-2sarge2) ...
Starting Kerberos Administration Servers: kadmind: No such file or directory 
while initializing, aborting
kadmind.

Setting up openafs-client (1.3.81-3sarge1) ...
Configuring openafs-client
--------------------------

AFS uses the file /etc/openafs/CellServDB to hold the list of servers that 
should be contacted to find parts of a cell.  The cell 
you claim this workstation belongs to is not in that file.  Enter the host 
names of the database servers separated by spaces. 
IMPORTANT: If you are creating a new cell and this machine is to be a database 
server in that cell, only enter this machine's name;
add the other servers later after they are functioning. Also, do not enable the 
AFS client to start at boot on this server until 
the cell is configured.  When you are ready you can edit 
/etc/openafs/afs.conf.client to enable the client.

What hosts are DB servers for your home cell? riverside.dulci.biostat.duke.edu

Should the Openafs filesystem be started and mounted at boot? Normally, most 
users who install the openafs-client package expect to
run it at boot.  However, if you are planning on setting up a new cell or are 
on a laptop, you may not want it started at boot 
time. If you choose not to start AFS at boot , run /etc/init.d/openafs-client 
force-start  to start the client when you wish to run
it.

Run Openafs client now and at boot? no

Setting up openafs-fileserver (1.3.81-3sarge1) ...
Starting AFS Server: bosserver.

Setting up openafs-dbserver (1.3.81-3sarge1) ...
Setting up openafs-krb5 (1.3-10.1) ...
riverside:/home/faheem# krb5_newrealm 
This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 
'DULCI.BIOSTAT.DUKE.EDU',
master key name 'K/[EMAIL PROTECTED]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
Starting Kerberos KDC: krb5kdc krb524d.
Starting Kerberos Administration Servers: kadmind.

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.

comment begins********************************************************
I've only the sketchiest idea what the purpose of these principals is. The
original transcript compounds confusion by using a preexisting account, eg.

"Re-enter KDC database master key to verify:foo

Authenticating as principal hartmans/[EMAIL PROTECTED] with password."

Do I need to create two principals, namely faheem and faheem/admin. If so,
what purposes do they serve?

Is there some way I can authenticate that I have set this up correctly?
comment ends***********************************************************

riverside:/home/faheem# kadmin.local -e des-cbc-crc:v4
Authenticating as principal faheem/[EMAIL PROTECTED] with password.


comment begins*********************************************************
When I did this before, I was getting root/[EMAIL PROTECTED] 

As far as I know I cleared out all the configuration, so I am not sure what
has changed.
comment ends***********************************************************

kadmin.local:  addprinc -randkey afs
WARNING: no policy specified for [EMAIL PROTECTED]; defaulting to no policy
Principal "[EMAIL PROTECTED]" created.
kadmin.local: ktadd -k /tmp/riverside.keytab afs
Entry for principal afs with kvno 3, encryption type DES cbc mode with CRC-32 
added to keytab WRFILE:/tmp/riverside.keytab.
kadmin.local:  quit
riverside:/home/faheem# kadmin.local
Authenticating as principal faheem/[EMAIL PROTECTED] with password.
kadmin.local:  addprinc faheem
WARNING: no policy specified for [EMAIL PROTECTED]; defaulting to no policy
Enter password for principal "[EMAIL PROTECTED]": 
Re-enter password for principal "[EMAIL PROTECTED]": 
Principal "[EMAIL PROTECTED]" created.
kadmin.local:  quit
riverside:/home/faheem# asetkey add 3 /tmp/riverside.keytab afs
riverside:/home/faheem# dd if=/dev/zero of=/var/lib/openafs/vicepa bs=1024k 
count=32
32+0 records in
32+0 records out
33554432 bytes transferred in 0.090969 seconds (368855314 bytes/sec)
riverside:/home/faheem# mke2fs -j /var/lib/openafs/vicepa

comment begins***********************************************************
I see no reason not to use 'mke2fs -j' instead of 'mke2fs'.
comment ends ************************************************************

mke2fs 1.37 (21-Mar-2005)
/var/lib/openafs/vicepa is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
8192 inodes, 32768 blocks
1638 blocks (5.00%) reserved for the super user
First data block=1
4 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks: 
        8193, 24577

Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 22 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
riverside:/home/faheem# mount -oloop /var/lib/openafs/vicepa /vicepa

comment begins************************************************************

This seems a good time to stop and look at files that have been
created in /etc/openafs, since we'll soon run into trouble in that
context.

So, here is 

*******/etc/openafs/ThisCell begins********
dulci.biostat.duke.edu
*******/etc/openafs/ThisCell endss*********

/etc/openafs/CellServDB begins***********************************
>dulci.biostat.duke.edu
152.3.172.51            # riverside.dulci.biostat.duke.edu
>grand.central.org      #GCO Public CellServDB 27 Jan 2005
18.7.14.88                      #grand-opening.mit.edu
128.2.191.224                   #penn.central.org
130.237.48.87                   #andrew.e.kth.se
[snip]
/etc/openafs/CellServDB ends**************************************

/etc/openafs/server/CellServDB begins******************************
>dulci.biostat.duke.edu
/etc/openafs/server/CellServDB ends******************************

Note /etc/openafs/ThisCell and /etc/openafs/server/ThisCell are the same.

/etc/openafs/server/CellServDB looks dodgy to me.

Ok, now we go with afs-newcell.

comment ends******************************************************************

riverside:/home/faheem# afs-newcell

                            Prerequisites

In order to set up a new AFS cell, you must meet the following:

1) You need a working Kerberos realm with Kerberos4 support.  You
   should install Heimdal with Kth-kerberos compatibility or MIT
   Kerberos5.

2) You need to create the single-DES AFS key and load it into
   /etc/openafs/server/KeyFile.  If your cell's name is the same as
   your Kerberos realm then create a principal called afs.  Otherwise,
   create a principal called afs/cellname in your realm.  The cell
   name should be all lower case, unlike Kerberos realms which are all
   upper case.  You can use asetkey from the openafs-krb5 package, or
   if you used AFS3 salt to create the key, the bos addkey command.

3) This machine should have a filesystem mounted on /vicepa.  If you
   do not have a free partition, then create a large file by using dd
   to extract bytes from /dev/zero.  Create a filesystem on this file
   and mount it using -oloop.  

4) You will need an administrative principal created in a Kerberos
realm.  This principal will be added to susers and
system:administrators and thus will be able to run administrative
commands.  Generally the user is a root instance of some administravie
user.  For example if jruser is an administrator then it would be
reasonable to create jruser/root and specify jruser/root as the user
to be added in this script.

5) The AFS client must not be running on this workstation.  It will be
at the end of this script.

Do you meet these requirements? [y/n] y
If the fileserver is not running, this may hang for 30 seconds.
/etc/init.d/openafs-fileserver stop
Stopping AFS Server: bos: could not find entry (can't find cell '<default>' in 
cell database)
bosserver.
What administrative principal should be used? faheem

comment begins************************************************************
Why isn't this faheem/admin? What is the difference?
comment ends**************************************************************

echo \>dulci.biostat.duke.edu >/etc/openafs/server/CellServDB
/etc/init.d/openafs-fileserver start
Starting AFS Server: bosserver.
bos addhost riverside riverside -localauth ||true
bos: could not find entry (can't find cell '<default>' in cell database)
bos adduser riverside faheem -localauth
bos: could not find entry (can't find cell '<default>' in cell database)
Failed: 256
bos: could not find entry (can't find cell '<default>' in cell database)
riverside:/home/faheem# exit
exit
configuration transcript ends*******************************************

comment begins************************************************************
The files in /etc/openafs are unchanged after this script runs.

The above error goes away, and the script seemingly gets a bit further
before exiting with another error, if /etc/openafs/server/CellServDB is
replaced by

>dulci.biostat.duke.edu
152.3.172.51            # riverside.dulci.biostat.duke.edu

Note that one also needs to comment out the following line in
/usr/sbin/afs-newcell

run( "echo \\>$cell >/etc/openafs/server/CellServDB");

otherwise the change gets overwritten when afs-newcell runs.

I can do this and report again if desired.

comment ends**************************************************************

Regards,                                                         Faheem.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]