Re: AFS

Fri, 08 Nov 2002 08:57:41 -0800 

Oki DZ <[EMAIL PROTECTED]> writes:
> I'm trying to have openafs-fileserver & openafs-client running on my
> system. I can get both running, but I have problems in using pts.
> I already set the /etc/openafs/server/KeyFile using asetkey with the
> keytab retrieved from the Kerberos server (kadmin.local; ktadd -k
> /tmp/afs.keytab afs; asetkey add, with noticing the knvo from ktadd).
> Unfortunately, I have the following:
>
> root@okidz:~# kinit afs
> Password for [EMAIL PROTECTED]: 
> root@okidz:~# aklog
> root@okidz:~# tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for [EMAIL PROTECTED] [Expires Nov  9 01:07]
>    --End of list--
> root@okidz:~# pts listentries
> Name                          ID  Owner Creator
> pts: ticket contained unknown key version number ; unable to list entries
>
> Question is, what unknown key?
>
> BTW, I noticed also that when a keytab had been retrieved from the
> Kerberos server (using that ktadd), the password of the principal got
> lost; I could no more doing kinit using the same password. I had to
> change it first, and then kinit. What gives?

It sounds like you're running into some Kerberos lossage.  Exporting a
keytab using kadmin also force-changes the key ("password") for that
principal.  The Kerberos server also maintains a revision number for
each principal ("kvno", for "key version number"); every time the key
changes, the kvno increments.

So, if what you're doing is something like this:

  kadmin (do ktadd to produce keytab)
  asetkey
  kpasswd (change key to something you know)
  kinit, etc.

Then you wind up putting a different key into the AFS server than
you're using for other things.

My impression is that you never actually want to 'kinit afs', though.
You should create a user principal instead, and add it to the AFS
system:administrators group, and then do things using that.  Reading
the documentation on http://www.openafs.org/, it looks like you want
to populate system:administrators before you start up the cell with
authorization checking turned on.  (The particular document I'm
looking at is the "AFS Quick Start Guide for UNIX".)

-- 
David Maze         [EMAIL PROTECTED]      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
        -- Abra Mitchell


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
  • AFS Oki DZ
    • David Z Maze

Reply via email to