Initializing Cell Security

If you are working with an existing cell which uses kaserver or Kerberos v4 for authentication, please see Initializing Cell Security with kaserver for installation instructions which replace this section.

Now initialize the cell's security mechanisms. Begin by creating the following two entires in your site's Kerberos database:

You also issue several commands that enable the new admin user to issue privileged commands in all of the AFS suites.

The following instructions do not configure all of the security mechanisms related to the AFS Backup System. See the chapter in the OpenAFS Administration Guide about configuring the Backup System.

The examples below assume you are using MIT Kerberos. Please refer to the documentation for your KDC's administrative interface if you are using a different vendor

  1. Enter kadmin interactive mode.

       # kadmin
    Authenticating as principal you/admin@YOUR REALM with password
    Password for you/admin@REALM: your_password

  2. Issue the add_principal command to create Kerberos Database entries called admin and afs/<cell name>.

    You should make the admin_passwd as long and complex as possible, but keep in mind that administrators need to enter it often. It must be at least six characters long.

    Note that when creating the afs/<cell name> entry, the encryption types should be restricted to des-cbc-crc:v4. For more details regarding encryption types, see the documentation for your Kerberos installation.

       kadmin: add_principal -randkey -e des-cbc-crc:v4 afs/<cell name>
       Principal "afs/cell name@REALM" created.
       kadmin:  add_principal admin
       Enter password for principal "admin@REALM": admin_password
       Principal "admin@REALM" created.

  3. Issue the kadmin get_principal command to display the afs/<cell name> entry.

      kadmin: get_principal afs/<cell name>
      Principal: afs/cell
      [ ... ]
      Key: vno 2, DES cbc mode with CRC-32, no salt
      [ ... ]

  4. Extract the newly created key for afs/cell to a keytab on the local machine. We will use /etc/afs.keytab as the location for this keytab.

    The keytab contains the key material that ensures the security of your AFS cell. You should ensure that it is kept in a secure location at all times.

      kadmin: ktadd -k /etc/afs.keytab -e des-cbc-crc:v4 afs/<cell name>
    Entry for principal afs/<cell name> with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/afs.keytab

    Make a note of the key version number (kvno) given in the response, as you will need it to load the key into bos in a later step


    Note that each time you run ktadd a new key is generated for the item being extracted. This means that you cannot run ktadd multiple times and end up with the same key material each time.

  5. Issue the quit command to leave kadmin interactive mode.

       kadmin: quit

  6. Issue the bos adduser command to add the admin user to the /usr/afs/etc/UserList file. This enables the admin user to issue privileged bos and vos commands.

       # ./bos adduser <machine name> admin -noauth

  7. Issue the asetkey command to set the AFS server encryption key in the /usr/afs/etc/KeyFile file. This key is created from the /etc/afs.keytab file created earlier.

    asetkey requires the key version number (or kvno) of the afs/cell key. You should have made note of the kvno when creating the key earlier. The key version number can also be found by running the kvno command

       # kvno -k /etc/afs.keytab afs/<cell name>

    Once the kvno is known, the key can then be extracted using asetkey

       # asetkey add <kvno>  /etc/afs.keytab afs/<cell name>
  8. Issue the bos listkeys command to verify that the key version number for the new key in the KeyFile file is the same as the key version number in the Authentication Database's afs/cell name entry, which you displayed in Step 3.

       # ./bos listkeys <machine name> -noauth
       key 0 has cksum checksum    

    You can safely ignore any error messages indicating that bos failed to get tickets or that authentication failed.