[OpenAFS] AFS token, SSH, KRB[5]
Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. In session, the pag is recovered and the ticket file permissions corrected, if needed. Some of the routines may be useful for other pam routines. This worked for me on RedHat EL5, kernel 2.6.18-1.2747.el5 with RedHat's delivered OpenSSH_4.3p2. Best regards Rainer Laatsch __ E-mail: [EMAIL PROTECTED] Universitaet zu Koeln Reg. Rechenzentrum (ZAIK/RRZK) Robert-Koch-Str. 10 D-50931 Koeln ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Switching from MIT to win 2003 krb5 server - ktpass question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Now I tried to export [EMAIL PROTECTED] via ktpass on Win 2003 AD Server. I used the line: ktpass -out NAME.out.txt -princ [EMAIL PROTECTED] \ -crypto DES-CBC-CRC +rndPass -DesOnly /ptype KRB5_NT_SRV_HST Was thsi correct? in the old mails from Mr. Altman no /ptype was noted, but Win2003 told me it needed this. And the host type looks reasonable instead of user type, or? MfG, Lars Schimmer - -- - - TU Graz, Institut für ComputerGraphik WissensVisualisierung Tel: +43 316 873-5405 E-Mail: [EMAIL PROTECTED] Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGaAFLmWhuE0qbFyMRAlDKAJ9Mg3QIMEAYX22uy4l25r1S4FOm9ACfUc7d wleE1bkfvnOhPG1JGyvNgCo= =HYSB -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] compile error on AIX 5.3 - softsig.c
Get this error while compiling on AIX 5.3. Maybe I gave more information than needed, and any help will be appreciated. Thanks ahead of time. /openafs/openafs-1.4.4/src/pinstall/pinstall libafsauthent.a /openafs/op enafs-1.4.4/lib/libafsauthent.a Target all is up to date. case rs_aix53 in alpha_dux*|sgi_*|sun*_5*|rs_aix*|*linux*|hp_ux11*|ia64 _hpux*|*[of]bsd*|*nbsd[234]*) cd src cd tviced make all ;; *_darwin_[1-6 ][0-9]) echo Not building MT viced for rs_aix53 ;; *_darwin_*) cd src cd t viced make all ;; *) echo Not building MT viced for rs_aix53 ;; esac xlc_r4 -O -I/openafs/openafs-1.4.4/src/config -I. -I. -I/openafs/openaf s-1.4.4/include -I/openafs/openafs-1.4.4/include/afs -I/openafs/openafs-1.4.4/in clude/rx -I/openafs/openafs-1.4.4 -I/openafs/openafs-1.4.4/src -I/openafs/openaf s-1.4.4/src -I.. -DNINTERFACE -DAFS_PTHREAD_ENV -K -D_NONSTD_TYPES -D_MBI=void - DRXDEBUG -c ../viced/viced.c ../viced/viced.c, line 446.25: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 450.26: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 603.14: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 659.14: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 665.17: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 686.21: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 690.22: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 694.21: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 698.22: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 1602.41: 1506-280 (E) Function argument assignment betw een types int* and unsigned int* is not allowed. ../viced/viced.c, line 1623.26: 1506-280 (E) Function argument assignment betw een types char* and const char* is not allowed. ../viced/viced.c, line 1811.29: 1506-280 (E) Function argument assignment betw een types int(*)() and char*(*)(void) is not allowed. ../viced/viced.c, line 1853.62: 1506-280 (E) Function argument assignment betw een types int(*)(char*,int,struct ktc_encryptionKey*) and int(*)(char*,int,ch ar*) is not allowed. ../viced/viced.c, line 1854.62: 1506-280 (E) Function argument assignment betw een types int(*)(char*,int,struct ktc_encryptionKey*) and int(*)(char*,int,ch ar*) is not allowed. ../viced/viced.c, line 1961.33: 1506-280 (E) Function argument assignment betw een types void*(*)(void*) and void* is not allowed. ../viced/viced.c, line 1964.33: 1506-280 (E) Function argument assignment betw een types void*(*)(void*) and void* is not allowed. ../viced/viced.c, line 1966.33: 1506-280 (E) Function argument assignment betw een types void*(*)(void*) and void* is not allowed. ../viced/viced.c, line 1988.17: 1506-098 (E) Missing argument(s). ../viced/viced.c, line 2028.14: 1506-098 (E) Missing argument(s). 2033 1500-010: (W) WARNING in main: Infinite loop. Program may not stop. 466 1500-010: (W) WARNING in HostCheckLWP: Infinite loop. Program may not stop. 494 1500-010: (W) WARNING in FsyncCheckLWP: Infinite loop. Program may no t stop. 421 1500-010: (W) WARNING in FiveMinuteCheckLWP: Infinite loop. Program m ay not stop. xlc_r4 -O -I/openafs/openafs-1.4.4/src/config -I. -I. -I/openafs/openaf s-1.4.4/include -I/openafs/openafs-1.4.4/include/afs -I/openafs/openafs-1.4.4/in clude/rx -I/openafs/openafs-1.4.4 -I/openafs/openafs-1.4.4/src -I/openafs/openaf s-1.4.4/src -I.. -DNINTERFACE -DAFS_PTHREAD_ENV -K -D_NONSTD_TYPES -D_MBI=void - DRXDEBUG -c ../viced/afsfileprocs.c ../viced/afsfileprocs.c, line 469.34: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 557.23: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 561.19: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 592.23: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 596.33: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 604.27: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 781.19: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 785.19: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 789.19: 1506-280 (E) Function argument assignmen t between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 1286.28: 1506-280 (E) Function argument assignme nt between types unsigned int* and int* is not allowed. ../viced/afsfileprocs.c, line 1311.14: 1506-280 (E) Function argument
Re: [OpenAFS] compile error on AIX 5.3 - softsig.c
On Thu, 7 Jun 2007 [EMAIL PROTECTED] wrote: Get this error while compiling on AIX 5.3. Maybe I gave more information than needed, and any help will be appreciated. Thanks ahead of time. DRXDEBUG -c ../util/softsig.c ../util/softsig.c, line 93.26: 1506-099 (S) Unexpected argument. which is sigwait(ss, sigw); So what does the man page on your box say sigwait takes? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] compile error on AIX 5.3 - softsig.c
It takes set and sig, so I guess I should change that in softsig.c. Thanks! On Thu, 7 Jun 2007 10:05:37 -0400 (EDT) Derrick J Brashear [EMAIL PROTECTED] wrote: On Thu, 7 Jun 2007 [EMAIL PROTECTED] wrote: Get this error while compiling on AIX 5.3. Maybe I gave more information than needed, and any help will be appreciated. Thanks ahead of time. DRXDEBUG -c ../util/softsig.c ../util/softsig.c, line 93.26: 1506-099 (S) Unexpected argument. which is sigwait(ss, sigw); So what does the man page on your box say sigwait takes? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] compile error on AIX 5.3 - softsig.c
On Thu, 7 Jun 2007 [EMAIL PROTECTED] wrote: It takes set and sig, so I guess I should change that in softsig.c. Thanks! um, guess what? sigwait(ss, sigw); sigset_t ss int sigw; which are set and sig. I smell conflicting macros. On Thu, 7 Jun 2007 10:05:37 -0400 (EDT) Derrick J Brashear [EMAIL PROTECTED] wrote: On Thu, 7 Jun 2007 [EMAIL PROTECTED] wrote: Get this error while compiling on AIX 5.3. Maybe I gave more information than needed, and any help will be appreciated. Thanks ahead of time. DRXDEBUG -c ../util/softsig.c ../util/softsig.c, line 93.26: 1506-099 (S) Unexpected argument. which is sigwait(ss, sigw); So what does the man page on your box say sigwait takes? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] SGE and AFS
Hi all, Does anyone know where there might be instructions on setting up SGE (Sun Grid Engine) 6.1 http://www.sun.com/software/gridware/index.xml to integrate with AFS and Krb 5? Thanks, -Dj -- Dj Merrill Department of Economics Unix Infrastructure Administrator Room 213, Social Sciences Bldg [EMAIL PROTECTED] - N1JOV Duke University, Durham, NC 27708 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] SGE and AFS
Dj Merrill wrote: Hi all, Does anyone know where there might be instructions on setting up SGE (Sun Grid Engine) 6.1 http://www.sun.com/software/gridware/index.xml to integrate with AFS and Krb 5? http://www.lions.odu.edu:8080/hpcdocs/SMP-Environment/SGE/Overview Talks about using SGE and OpenAFS. Thanks, -Dj -- Douglas E. Engert [EMAIL PROTECTED] Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
Rainer Laatsch [EMAIL PROTECTED] writes: Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. In session, the pag is recovered and the ticket file permissions corrected, if needed. Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
Russ Allbery wrote: Rainer Laatsch [EMAIL PROTECTED] writes: Interested parties might want to have a look at /afs/rrz.uni-koeln.de/vol/pam/pam_runexec.tar The pam_runexec is configurable to get a token by executing [KRB4] klog+afslog or [KRB5] kinit+gssklog under pam. Config's are included. In auth, a pag is set, and a session based ticket file is also created. In session, the pag is recovered and the ticket file permissions corrected, if needed. Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? Out of curiosity, you're american I assume, so why does the concept of competition rises interest ? ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] SGE and AFS
On Thu, 7 Jun 2007, Douglas E. Engert wrote: Dj Merrill wrote: Hi all, Does anyone know where there might be instructions on setting up SGE (Sun Grid Engine) 6.1 http://www.sun.com/software/gridware/index.xml to integrate with AFS and Krb 5? http://www.lions.odu.edu:8080/hpcdocs/SMP-Environment/SGE/Overview Talks about using SGE and OpenAFS. You can also have a look at http://dvinfo.ifh.de/SGEwithAFS The instructions are for an older SGE version, but the mechanism how to get an AFS token inside SGE is the same. We do use that solution routinely since several years. -- Wolfgang Friebel Deutsches Elektronen-Synchrotron DESY Phone/Fax: +49 33762 77372/216Platanenallee 6 Mail: Wolfgang.Friebel AT desy.de D-15738 Zeuthen Germany ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] cgi and afs?
I was talking to our sys admin. about allowing us users to run cgi programs from our afs accounts (served from $HOME/www which has system:anyuser rl) and asked if the web server could do this and was told first that the CMU AFS team was working on a way to make CGI principles for andrew (AFS realm) users so we can support them on contrib (AFS realm) and then later told they ran into a problem with permissions but had to work on the code a bit more. This was 8 months ago and still waiting for this to be finished. Curious if Open AFS already has a way to do this or plans on implementing it. I think CMU is running special in-house customized AFS. Is there a canonical way for a user to tell which version of AFS is running? Zach ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] SGE and AFS
http://www.lions.odu.edu:8080/hpcdocs/SMP-Environment/SGE/Overview Talks about using SGE and OpenAFS. You can also have a look at http://dvinfo.ifh.de/SGEwithAFS Thanks, all. I also ran across http://www.lrz-muenchen.de/services/hpc/linux-cluster/lxadmin/job-control.html which has some information. Between the three I should hopefully be able to get it going. Thanks, -Dj -- Dj Merrill Department of Economics Unix Infrastructure Administrator Room 213, Social Sciences Bldg [EMAIL PROTECTED] - N1JOV Duke University, Durham, NC 27708 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] cgi and afs?
Zach [EMAIL PROTECTED] wrote: Is there a canonical way for a user to tell which version of AFS is running? I always tell people to use rxdebug to figure out what AFS version they are running. C:\rxdebug localhost 7001 -version Trying 127.0.0.1 (port 7001): AFS version: OpenAFS1.5.2000 You can also use this against remote maachines: C:\rxdebug 128.174.193.200 7001 -version Trying 128.174.193.200 (port 7001): AFS version: OpenAFS 1.4.2 built 2006-10-28 CDC ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] compile error on AIX 5.3 - softsig.c
On 6/7/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Get this error while compiling on AIX 5.3. Maybe I gave more information than needed, and any help will be appreciated. Thanks ahead of time. /openafs/openafs-1.4.4/src/pinstall/pinstall libafsauthent.a /openafs/op enafs-1.4.4/lib/libafsauthent.a Target all is up to date. case rs_aix53 in alpha_dux*|sgi_*|sun*_5*|rs_aix*|*linux*|hp_ux11*|ia64 _hpux*|*[of]bsd*|*nbsd[234]*) cd src cd tviced make all ;; *_darwin_[1-6 ][0-9]) echo Not building MT viced for rs_aix53 ;; *_darwin_*) cd src cd t viced make all ;; *) echo Not building MT viced for rs_aix53 ;; esac xlc_r4 -O -I/openafs/openafs-1.4.4/src/config Um, why did you set MT_CC to xlc_r4? We don't support DCE (aka draft 4) threads. -- Tom Keiser [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
Christof Hanke [EMAIL PROTECTED] writes: Russ Allbery wrote: Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? Out of curiosity, you're american I assume, so why does the concept of competition rises interest ? I'm not quite sure what you mean. I'm curious about all PAM implementations in this space because different implementations bring different ideas and different use cases, and I'd like to be aware of how other people are using PAM when writing PAM modules. I also occasionally give talks about AFS and PAM and like to mention all the available options so that people can pick what works best for their situation, so I like to know what the strengths and weaknesses of the available options are. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AFS token, SSH, KRB[5]
Russ Allbery wrote: Christof Hanke [EMAIL PROTECTED] writes: Russ Allbery wrote: Out of curiosity, what did you find was missing from existing PAM modules that led you to write your own? Out of curiosity, you're american I assume, so why does the concept of competition rises interest ? I'm not quite sure what you mean. I think it's pretty clear what you're trying to do, Russ. OBVIOUSLY, you're an American bastard trying to get a strangle-hold monopoly in the market for freely available open source PAM modules. They're apparently German trade secrets, and no, you cannot have that information. *rolls eyes* ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: vos dump authorization based on bos adduser?
Derrick J Brashear [EMAIL PROTECTED] writes: Actually, now that I think about it, if all the ptserver instances are down, how would an admin be able to aklog (in order to run bos commands)? -localauth. (but aklog doesn't *require* ptserver; see afslog) But localauth doesn't even require the bos adduser list... I guess I'm just wondering if the bos userlist can be eliminated and bosserver/volserver can use system:administrators instead. I'll write up a patch adding an option for this unless there's some reason why this is a Very Bad Idea. bosserver can't depend on ptserver.. I think we're going in circles here... didn't you indicate above that -localauth should be used in situations where bosserver must be used without any running ptservers? - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: vos dump authorization based on bos adduser?
On Thu, 7 Jun 2007, Adam Megacz wrote: Derrick J Brashear [EMAIL PROTECTED] writes: Actually, now that I think about it, if all the ptserver instances are down, how would an admin be able to aklog (in order to run bos commands)? -localauth. (but aklog doesn't *require* ptserver; see afslog) But localauth doesn't even require the bos adduser list... I guess I'm just wondering if the bos userlist can be eliminated and bosserver/volserver can use system:administrators instead. I'll write up a patch adding an option for this unless there's some reason why this is a Very Bad Idea. bosserver can't depend on ptserver.. I think we're going in circles here... didn't you indicate above that -localauth should be used in situations where bosserver must be used without any running ptservers? That's bos. i said bosserver can't depend on ptserver. Your mind is going in circles, my explanation is not. How does the bosserver decide you're eligible if there's no ptserver? Well, it times out and then just allows localauth. Timeout. Ick. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: cgi and afs?
Zach [EMAIL PROTECTED] writes: Curious if Open AFS already has a way to do this or plans on implementing it. I think CMU is running special in-house customized AFS. You want the WaklogPrincipal directive in UMBC's mod_waklog. http://www.umbc.edu/oit/iss/syscore/wiki/Mod_waklog Works quite nicely, though only with Apache 1.3 (for now). - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: Switching from MIT to win 2003 krb5 server
FWIW, this is easy (easier?) if you set up an empty realm with no users and an MIT KDC just for the AFS cell, and establish cross-realm trust between the two KDCs. I'm doing this at the moment against two AD realms on campus (one Win2k0, one Win2k3) and it works quite well. It also minimizes the number of things I have to ask the AD admins to do for me, which is wonderful because we seem to speak completely different languages (Microsoft has invented their own names for all the important Kerberos concepts). - a ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: cgi and afs?
On Thu, 7 Jun 2007, Adam Megacz wrote: Zach [EMAIL PROTECTED] writes: Curious if Open AFS already has a way to do this or plans on implementing it. I think CMU is running special in-house customized AFS. You want the WaklogPrincipal directive in UMBC's mod_waklog. http://www.umbc.edu/oit/iss/syscore/wiki/Mod_waklog Works quite nicely, though only with Apache 1.3 (for now). I'm pretty sure the Apache2 support I sent is already in CVS. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info