One Suggestion by ... Calhariz - Tag - Kerberos2024-01-08T23:12:49+00:00Jose M Calharizurn:md5:d12ac81d22d777c9db33469001313704DotclearHow to quickly setup a new OpenAFS cell in Debian 9 aka stretch.urn:md5:ad49955ba37cb36827fee8a9916d5cca2022-09-21T01:53:00+01:002022-09-21T01:02:27+01:00Jose M CalharizSoftwareDebianKerberosOpen SourceOpenAFSSys Admin <p>Because the instructions in Debian are a bit out of date I put here a quick summary of how to setup a new OpenAFS cell. This instructions complements the existing documentation and add some interesting bits for debug.First setup the kerberos client, we use in this example the MIT implementation:</p>
<p><code>apt install krb5-user</code></p>
<p>The install the fileserver software including the aklog command:</p>
<p><code>apt install openafs-dbserver openafs-fileserver openafs-krb5</code></p>
<p>Get a keytab to authenticate your OpenAFS servers:</p>
<pre>
kadmin.local
addprinc -randkey -e aes256-cts-hmac-sha1-96 afs/cell-name
ktadd -k /root/afs.keytab afs/cell-name
getprinc afs/cell-name
quit
</pre>
<p>Copy this keytab into you first server:</p>
<p><code>scp afs.keytab afs01:</code></p>
<p>Move the keytab into the final place:</p>
<pre>
mv afs.keytab /etc/openafs/server/rxkad.keytab
chown root: /etc/openafs/server/rxkad.keytab
</pre>
<p>To workaround a bug on afs-newcell:</p>
<p><code>touch /etc/openafs/server/KeyFile</code></p>
<p>Check if you mounted the /vicepa:</p>
<p><code>df -h /vicepa</code></p>
<p>Bootstrap:</p>
<p><code>afs-newcell</code></p>
<p>If something goes wrong you can to debug the aklog command with:</p>
<p><code>KRB5_TRACE=/dev/stdout aklog -d</code></p>
<p><a href="https://www.netmeister.org/blog/krb5-error-codes-table.html" hreflang="en" title="List of KRB RPC errors.">List of KRB RPC errors:</a></p>