What does not work:
I would like for pam_krb5afs.so to obtain a token for AFS during login.
Currently, I get an error message saying that while a cell-name was
specified, it appears that AFS is not running ("cells specified but AFS
not running"). A similar message appears when I run afslog from the
heimdal code after I log into the local workstation.
Hm. I thought heimdal-0.6.2 was new enough, but perhaps not.
Recent versions of OpenAFS support an alternate user/kernel interface
in addition to the traditional syscall. While the inability to locate sys_call_table is normal for 2.6 kernels, one of the side effects is that you must use the new interface, as the old one is no longer available. Unfortunately, it seems that your heimdal must be too old to know about the new interface. :-(
Questions: (1) Is it possible for OpenAFS to use Kerberos 5 tickets obtained from the heimdal kdc directly to authenticate to the AFS server?
I'm not sure what you mean by "directly". OpenAFS supports Kerberos v5 tickets, but they must be stored into the kernel token cache (ktc) so they are available to the cache manager. This is what afslog does, and part of what the PAM module does.
There are essentially three ways to get tokens to store in the ktc:
(a) Get a Kerberos v4 ticket and give it to the cache manager. This is what krb4-aware versions of aklog and afslog do. It is also what klog does, though in that case the ticket is obtained using the kaserver protocol rather than Kerberos.
(b) Get a Kerberos v5 ticket, and convert it to the form needed by the cache manager. Some krb-aware versions of aklog and afslog may use this approach.
(c) Get a Kerberos v5 ticket, send it to krb524d for translation to a Kerberos v4 ticket, and give that to the cache manager. This is the approach taken by many krb5-aware versions of afslog. Note that the krb524 service may return an actual krb4 ticket, or it may return a krb5 ticket inside a special wrapper.
In case (a), you are using krb4. In case (b), you are using krb5. In case (c), what you are using depends on what krb524d does.
(2) Do I need to install kth-krb (or another Kerberos 4 installation) on any of the servers/workstations? I.e. is it necessary to have support for Kerberos 4 to make this happen?
No.
(3) If it is not necessary to install kth-krb, how do I get pam_krb5afs.so to compile? It appears that it requires krb4 libraries to build. Are there other alternatives to get AFS tokens immediately during login?
I'm not sure where your pam_krb5afs is coming from, or what libraries it expects to use. It may be attempting to do AFS operations itself, or it may be using the libkafs library provided with heimdal. In the latter case, if heimdal is not built with krb4 support, then libkafs should not need it either.
(4) Is it possible to run the AFS server processes and the kdc on two different servers?
Yes.
If yes, what do I need to set up for the different pieces to inter-operate? Do I need to run a slave kdc on the AFS server?
No. You don't need to do anything special.
AFS is a Kerberos-authenticated service, so its service principal will need to be registered in the Kerberos database, with the same key configured on the AFS servers. I believe heimdal comes with tools that make it easy to generate a key file in the format that AFS requires. Note that AFS servers support only the des-cbc-crc, des-cbc-md4, and des-cbc-md5 enctypes, so you will need to make sure that the AFS service principal has keys only for those enctypes.
(5) If I am able to use Kerberos 5 tickets as tokens, do I need to enable krb524?
That depends on what your aklog/afslog does. If it converts the ticket locally, you don't need a krb524 service. However, I believe most verisons currently distributed do require this service, for various reasons.
(6) What files need to be set up on the different servers/workstations? I use krb5.conf on the workstation to find the KDC, I use krb5.conf on the server to configure the KDC, I use ThisCell/CellServDB on the AFS server to provide information about the OpenAFS server. Do I need to set up ThisCell/CellServDB on the workstation as well so that it knows how to locate the OpenAFS server?
Yes. Or, you can use dynroot mode and afsdb support, and publish AFSDB records for your cell in the DNS (see RFC1183).
Observations: I looked into the problem with the sys_call_table issue on the
It's a known issue, somewhat too complex to go into here.
Suffice it to say that the message is actually the result of something that happens at configure time, because of a series of tests that we can no longer do against Linux 2.6.
... It then failed reporting a problem with a pioctl (sorry, I don't have the exact message handy).
This is definitely the new-vs-old kernel interface problem. The Debian packages do not contain code new enough to support the new interface.
Problem with SSL: Wherever possible, I used openssl-0.9.7d to compile the software packages. For kth-krb, I had to compile without OpenSSL.
I can't help you with that -- ask on the kth-krb list.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
_______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
