[Updated 2002-01-18 02:21 EST: I found out later about the bos
adduser comand I forgot. By the time I found out about this in the
OpenAFS section "Configuring the Top Levels of the AFS Filespace" I
had already stopped running with no authentcation. This meant I
couldn't figure out how to issue the command since it wouldn't give me
permission to bos adduser. Reading some documentation I found out
about the -localauth argument. This argument, apparently accepted
by many commands, instructs the command to authenticate you as root.
In other words, if you want to use -localauth you have to be root.
Anyway, I found I could do a bos adduser verin.caliginous.net
afsmaster.admin -cell caliginous.net -localauth as root and be on my
way.]
OpenAFS seems very easy to set up. The OpenAFS documentation is quite good and has specific sections for Linux. They have OpenAFS RPMS for Red Hat going back to something like 6.2.
I installed all the RPMS on my first AFS cell, then went to the part of the quick start guide that’s entitled “Installing the First AFS Machine.” However, I was aware that AFS has its own Kerberos IV server, but that I wanted to use my MIT Kerberos V installation instead. The documentation on the OpenAFS site is not helpful here, instructing you to contact IBM for more information. Yeah, right.
Thankfully, someone wrote instructions on installing OpenAFS with another Kerberos implementation. These instructions are pretty good, but they’re a bit sketchy at points. I’ll try to fill in some holes here. If I feel brave maybe I’ll add them to the Wiki page, or at least a link to this log entry. This log entry was written for revision 1.10 of the Wiki page mentioned above.
Starting on the Wiki page at “Starting the Install” I followed all instructions. They don’t explicit state at what step you’re supposed to stop following the OpenAFS documentation and start following their steps. I stopped before I started the section in the OpenAFS documentation entitled “Initializing Cell Security.” You’re going to basically skip this entire step, though the instructions on the Wiki page are the same as the instructions in the OpenAFS documentation in several places.
Once I got to the section in the Wiki page entitled “Create AFS Keys
and Administrators,” I created a principle called afs/myrealm.com
using kadmin. At first I tried just doing addprinc -randkey
afs/mycell.com, but that seemed to potentially be in conflict with
the instructions that are given in the Heimdal KTH instructions (which
are referred to and somewhat used in the MIT Kerberos V
instructions). Here’s what I ended up doing:
[darkness@servername ~]# kadmin -p kmaster/admin kadmin: addprinc -randkey -e des-cbc-crc:v4 afs/mycell.com WARNING: no policy specified for afs/mycell.com@MYREALM.COM; defaulting to no policy Principal "afs/mycell.com@MYREALM.COM" created. kadmin: getprinc afs/mycell.com Principal: afs/mycell.com@MYREALM.COM Expiration date: [never] Last password change: Fri Jan 17 05:35:43 EST 2003 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Fri Jan 17 05:35:43 EST 2003 (kmaster/admin@MYREALM.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 2, DES cbc mode with CRC-32, no salt Principal: afs/mycell.com@MYREALM.COM Expiration date: [never] Last password change: Fri Jan 17 05:35:43 EST 2003 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Fri Jan 17 05:35:43 EST 2003 (kmaster/admin@MYREALM.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 2, DES cbc mode with CRC-32, no salt Attributes: Policy: [none]
I did the getprinc just to see if it worked. You presumably have
to add the -e des-cbc-crc:v4 to make it generate only the key type
that’ll be understood by AFS. In retrospect I suspect you can leave
the -e switch out and use the parameters to ktadd to only
export the des-cbc-crc:v4 key; someone is welcome to try this.
Note that there are instructions here about how your Kerberos V realm
must respond to Kerberos IV requests. If you followed the RH
documentation on setting up your Kerberos server, you’ve got
krb524 running and you’re set to go with Kerberos IV requests.
Next the Wiki page instructs you to create the
/usr/afs/etc/KeyFile file with the key for the principle we just
created, above. This is where I had to feel my way around just a
little bit. For your benefit, I’ll quote important parts of my
session below. Keep in mind that we’re still on the Wiki page
instructions here, having left the OpenAFS documentation when we hit
the “Initializing Cell Security” section. Also note that the
following starts in the same kadmin session as above that we never
exited.
kadmin: ktadd -k /etc/afskeytabfile.krb5 -e des-cbc-crc:v4 afs/mycell.com Entry for principal afs/mycell.com with kvno 4, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/afskeytabfile.krb5. kadmin: quit [darkness@servername afs-working]$ sudo /usr/kerberos/sbin/ktutil ktutil: read_kt /etc/afskeytabfile.krb5 ktutil: list slot KVNO Principal ---- ----