Tag - Kerberos

Entries feed

Wednesday, 21 September, 2022

How to quickly setup a new OpenAFS cell in Debian 9 aka stretch.

Because the instructions in Debian are a bit out of date I put here a quick summary of how to setup a new OpenAFS cell. This instructions complements the existing documentation and add some interesting bits for debug.First setup the kerberos client, we use in this example the MIT implementation:

apt install krb5-user

The install the fileserver software including the aklog command:

apt install openafs-dbserver openafs-fileserver openafs-krb5

Get a keytab to authenticate your OpenAFS servers:

kadmin.local
addprinc -randkey -e aes256-cts-hmac-sha1-96 afs/cell-name
ktadd -k /root/afs.keytab afs/cell-name
getprinc afs/cell-name
quit

Copy this keytab into you first server:

scp afs.keytab afs01:

Move the keytab into the final place:

mv afs.keytab /etc/openafs/server/rxkad.keytab
chown root: /etc/openafs/server/rxkad.keytab

To workaround a bug on afs-newcell:

touch /etc/openafs/server/KeyFile

Check if you mounted the /vicepa:

df -h /vicepa

Bootstrap:

afs-newcell

If something goes wrong you can to debug the aklog command with:

KRB5_TRACE=/dev/stdout aklog -d

List of KRB RPC errors: