Re: [OpenAFS] Fw: it would be nice to have an administrators guide

[Jeffrey Altman]

On 12/26/2016 2:58 PM, Benjamin Kaduk wrote:
> On Mon, Dec 26, 2016 at 11:37:17AM +, Ted Creedon wrote:
>> Ben,
>>
>> Thank you.
>>
>> So far by using the eclipse IDE , I've added afslog=true to [appdefaults]
> 
> Hmm, somehow I thought [appdefaults] was for applications that did not ship
> with the kerberos distribution (but could be wron), and I have more 
> familiarity
> with MIT krb5 than heimdal anyway.  But that doesn't seem like it would
> give better debugging output anyway.

Ben,

The Heimdal kinit has the ability to obtain afs tokens.  That is
controlled with the "afslog" configuration setting.

The order of precedence is

[appdefaults]
  kinit = {
 [ {
   afslog = 
}
  }

[appdefaults]
  kinit = {
afslog = 
  }

[appdefaults]
   [ {
afslog = 
  }

[appdefaults]
  afslog = 


[realms]
   [ {
afslog = 
  }

[libdefaults]
  afslog = 

The option doesn't have any impact on OpenAFS aklog.

Jeffrey Altman




<>

smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Fw: it would be nice to have an administrators guide

[Benjamin Kaduk]

On Mon, Dec 26, 2016 at 11:37:17AM +, Ted Creedon wrote:
> Ben,
> 
> Thank you.
> 
> So far by using the eclipse IDE , I've added afslog=true to [appdefaults]

Hmm, somehow I thought [appdefaults] was for applications that did not ship
with the kerberos distribution (but could be wron), and I have more familiarity
with MIT krb5 than heimdal anyway.  But that doesn't seem like it would
give better debugging output anyway.

We really need to get a single consolidated report from you that contains
the versions of all relevant software, and a transcript of everything that
you tried, with the corresponding output.  With the current state it's just
a guessing game and unlikely to succeed.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Fw: it would be nice to have an administrators guide

[Ted Creedon]

Ben,

Thank you.

So far by using the eclipse IDE , I've added afslog=true to [appdefaults]

I'll implement your directions after a quick nap

-afslog doesn't cooperate, I'll figure that out today.

ted

From: Benjamin Kaduk 
Sent: Sunday, December 25, 2016 2:10:13 PM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Fw: it would be nice  to have an administrators guide

On Fri, Dec 23, 2016 at 02:00:20AM +, Ted Creedon wrote:
>
>
> it would be nice to have an administrators guide on how to set up the keys 
> for openafs 1.8 + heimdal 7.1
>
> the intermixture of ad, heimdal & mit is confusing to say the least.
>
> could you provide one?

The main difference between the key setup for 1.6 and the key setup for 1.8
is that 1.6 uses a kerberos keytab named rxkad.keytab to store the 
server-private
keys (a regression introduced as part of the fix for OPENAFS-SA-2013-003 [0]),
whereas for 1.8 the keys an OpenAFS-specific file KeyFileExt is used.
Buried in the 1.8.0 release notes is an item that the 'akeyconvert' utility
reads rxkad.keytab and writes out the corresponding bits to KeyFileExt.
So, the short answer to your question would be to start with the quick start
guide for Unix (http://docs.openafs.org/QuickStartUnix/index.html) for the
cell setup instructions, including creating rxkad.keytab in the
"Starting the BOS Server" section, and then running 'akeyconvert' after
creating rxkad.keytab.

I do not run any heimdal-based realms or cells, so I cannot really provide
heimdal-specific instructions, but the main point of integration between
kerberos and OpenAFS is that there should be a kerberos principal
afs/@REALM in the kerberos realm to be used for the cell.  Kerberos
keys with strong (i.e., AES) encryption types should be used for that
principal, and a keytab created for it with name rxkad.keytab in the
OpenAFS server configuration directory (i.e., /etc/openafs/server on Debian).
After creating the rxkad.keytab, run 'akeyconvert' on that system, and copy
the resulting KeyFileExt to any additional AFS server machines in the cell.
Users of the cell need to have user principals in order to be able to use
aklog (or klog.krb5 is that is desired), and the PTS entries with the
corresponding names need to exist in the protection database in order
for those AFS users to be able to have filesystem permissions granted to them.

Please reply back if there are parts that need further clarification.

-Ben


[0] This is a regression because it forces most AFS binaries to be linked
against libkrb5, whereas traditionally one could operate AFS independently
of kerberos except for aklog (if desired) and asetkey.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Fw: it would be nice to have an administrators guide

[Benjamin Kaduk]

On Fri, Dec 23, 2016 at 02:00:20AM +, Ted Creedon wrote:
> 
> 
> it would be nice to have an administrators guide on how to set up the keys 
> for openafs 1.8 + heimdal 7.1
> 
> the intermixture of ad, heimdal & mit is confusing to say the least.
> 
> could you provide one?

The main difference between the key setup for 1.6 and the key setup for 1.8
is that 1.6 uses a kerberos keytab named rxkad.keytab to store the 
server-private
keys (a regression introduced as part of the fix for OPENAFS-SA-2013-003 [0]),
whereas for 1.8 the keys an OpenAFS-specific file KeyFileExt is used.
Buried in the 1.8.0 release notes is an item that the 'akeyconvert' utility
reads rxkad.keytab and writes out the corresponding bits to KeyFileExt.
So, the short answer to your question would be to start with the quick start
guide for Unix (http://docs.openafs.org/QuickStartUnix/index.html) for the
cell setup instructions, including creating rxkad.keytab in the
"Starting the BOS Server" section, and then running 'akeyconvert' after
creating rxkad.keytab.

I do not run any heimdal-based realms or cells, so I cannot really provide
heimdal-specific instructions, but the main point of integration between
kerberos and OpenAFS is that there should be a kerberos principal
afs/@REALM in the kerberos realm to be used for the cell.  Kerberos
keys with strong (i.e., AES) encryption types should be used for that
principal, and a keytab created for it with name rxkad.keytab in the
OpenAFS server configuration directory (i.e., /etc/openafs/server on Debian).
After creating the rxkad.keytab, run 'akeyconvert' on that system, and copy
the resulting KeyFileExt to any additional AFS server machines in the cell.
Users of the cell need to have user principals in order to be able to use
aklog (or klog.krb5 is that is desired), and the PTS entries with the
corresponding names need to exist in the protection database in order
for those AFS users to be able to have filesystem permissions granted to them.

Please reply back if there are parts that need further clarification.

-Ben


[0] This is a regression because it forces most AFS binaries to be linked
against libkrb5, whereas traditionally one could operate AFS independently
of kerberos except for aklog (if desired) and asetkey.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Fw: it would be nice to have an administrators guide

[Ted Creedon]

it would be nice to have an administrators guide on how to set up the keys for 
openafs 1.8 + heimdal 7.1

the intermixture of ad, heimdal & mit is confusing to say the least.

could you provide one?

tedc
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info