From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Eckhardt To: 9fans@cse.psu.edu MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <9836.1074624009.1@piper.nectar.cs.cmu.edu> Message-ID: <9837.1074624009@piper.nectar.cs.cmu.edu> Subject: [9fans] Authentication debugging help? Date: Tue, 20 Jan 2004 13:40:09 -0500 Topicbox-Message-UUID: bcb5895c-eacc-11e9-9e20-41e7f4b1d025 I'm trying to set up a machine to be a fossil/venti file server plus auth server (I'll tackle a CPU server later). What I have working so far: 1. Followed standard installation (9pcf kernel, fossil) (This includes finding, I believe, an installer bug, which I will be happy to document once I have this thing working). 2. Branded fossil & venti information onto their respective partitions, took an archival snapshot..that all seems to work ok. 3. Built 9pccpuf kernel, edited /rc/bin/cpurc. This appears to boot and work ok. BUT when I try to boot a second machine from the "boot floppy" the installer made for me (9pcdisk kernel?), the client panics. I apologize for having left my notes (including the exact panic message) home with the machine, but it dies very early and I wasn't able to match the complaint to anything obvious in the sources. So, some questions: 1. The initial chunk of the "Data Base" section of authsrv(6), discussing /lib/ndb/auth, is confusing me. The text and comments seem to suggest that "hostid=bootes" refers to a machine named "bootes" (though I don't see "hostid" used in ndb(6) to designate machines, only "dom" and "sys"). In fact, it explicitly says "client host's ID". But in the "Network Database" section of the Wiki's "Configuring a standalone CPU_server" page, it says "Uncomment the two lines indicated in /lib/ndb/auth to say that the cpu server owner is allowed to become any other user (given the appropriate credentials)". This sure sounds like "bootes" is a USER, not a "client host's ID". And at the top of that document it says "You can decide what name to give your cpu server owner. This is the user that all the cpu servers run as. We'll name the user 'bootes'; it is recommended that you also choose 'bootes' as it will appear in the instructions frequently." Again, here it seems inexorable that "bootes" is a user. Which way is up? More to the point, what belongs in my /lib/ndb/auth file? 2. Can somebody give me some step-by-step suggestions of things to verify? Things like "On your fs/auth server you should have a foo process, which you should see in ps, which should be offering /mnt/xxx and /srv/xxx and there should be a /rc/bin/service.auth/ilYYY file and if you "telnet srvname YYY" the greeting should be "zzz". 3. Likewise, I would appreciate any detailed suggestions about how to simulate the terminal-booting-from-server process from an outside machine, things like "boot the installer CD-ROM on the client, login in as "none", set auth=srvname, run auth/keyfs, then auth/factotum, ..." 4. From grubbing around on the server, it's not clear that the secstore daemon is running. At least I don't see something in /rc/bin/service.auth or /rc/bin/cpurc which would start it...or am I overlooking something obvious? Can fossil on the server authenticate clients without its factotum (running as bootes) having access to its key(s)? Dave Eckhardt