On Mon, Mar 04, 2019 at 02:14:43PM +0200, Ciprian Dorin Craciun wrote: > On Mon, Mar 4, 2019 at 3:35 AM Benjamin Kaduk <ka...@mit.edu> wrote: > > > Perhaps the OpenAFS Quick Start UNIX chapters touching the Kerberos > > > integration (http://docs.openafs.org/QuickStartUnix/HDRWQ53.html) > > > should clearly state this issue with principals containing dots and > > > using at the same time instances (i.e. slashes)... > > > > Patches welcome! (XML sources browseable at > > http://git.openafs.org/?p=openafs.git;a=tree;f=doc/xml/QuickStartUnix;h=9e4fbd3f23b81696d98b1fcb68519364fe365d3f;hb=HEAD > > ; preferred submissions are as gerrit changes (docs on that at > > https://wiki.openafs.org/devel/GitDevelopers/) but mailed patches and > > similar are fine. > > > I'll try to provide a patch to the documentation. > > (I am aware that OpenAFS is an open-source, volunteer-based project, > thus I was not "demanding" the update.) :) > > However on the same subject, is there a document describing how one > should configure Kerberos (from MIT) to work flawlessly with OpenAFS? > (I've tried searching for such a document, but found none, and > moreover even "plain" Kerberos deployment tutorials are very > scarce...)
I don't know of specific documentation for this, no. I think that many sites running Kerberos+AFS have some homegrown database management system that handles both and keeps them synchronized. (MIT's is called "Moira" and has a paper or two about it from the Project Athena days.) To a large extent, getting Kerberos set up is pretty much drop it in and switch it on, but there's a lot of flexibility about principal names, especially for administrative operations. Getting it integrated with OpenAFS is mostly about having the right 'pts createuser's happen to register users, and creating the afs/cellname.fqdn principal to go in the rxkad.keytab and/or KeyFileExt -- at this point, AFS is just a regular kerberized service and doesn't require special treatment on the Kerberos side for the service principals. (Well, other than it being a "clustered" service where multiple locations share the keytab.) > > > > > Moreover it's still unclear to me if in `pts createuser` I should use > > > the `username.admin` or `username/admin` variants? (It lets me do > > > both, but I think only the former actually works.) Could someone tell > > > me the "correct" syntax for OpenAFS usernames? > > > > You should pts createuser the username.admin variants. > > > I'll try to include this in that patch also. Thanks! > > > > Of course, rxgk will let us use fancier names for things, so we'll have to > > get used to a whole new world order when that finishes landing... > > Could you elaborate more on this? The low-level technical spec would be at/nearby http://afs3-stds.central.org/docs/draft-wilkinson-afs3-rxgk-11.txt which uses the extended names from http://afs3-stds.central.org/docs/draft-brashear-afs3-pts-extended-names-09.txt . The short form is that we'll be able to use (encoded) GSS principal names in the UserList file. It looks like the details haven't made it into the UserList.pod documentation yet (unsurprising, since the code to authenticate as them isn't in place yet), but the format includes a base64 encoded version of the GSS exported name (which itself would include the Kerberos mechanism OID, as alluded to in Section 10.3.2 of the second document). But I probably was not talking about what you were actually asking about; feel free to ask for more clarifications. -Ben _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info