[OpenAFS] Re: aklog and openafs 1.3.x

Frode Nilsen ml@cyberpunks.no
Fri, 29 Apr 2005 20:46:11 +0200 

Thanks for all the help; I made my self an rpm for the afs-krb5-2.0
package. And now it works; I can run 'aklog', and get my token.

The only problem I encountered was with the pam_krb5afs module on the
clients (running fc3); it won't give a token when logging in. My solution
to this, was to set '-acl system:anyuser l' on my users home volumes, and
running 'aklog' from '.bash_profile'. I don't like that users can list the
content of other peoples home volumes, but this was the only solution I
could find.

I wonder what solution other people have on this problem?


--
Frode Nilsen



On Sat, 23 Apr 2005 12:23:49 -0400, Christopher Allen Wing wrote:

> Frode:
> 
> The pam_krb5 module that comes with Red Hat should be able to obtain
> tokens. Note that it may have some bugs:
> 
> 	- it may not work with dynroot enabled - it may not work when you have
> 	more than 1 AFS database server
> 
> 
> At some point I will try to get patches to Red Hat to fix these issues,
> but I believe it will work at least if you disable dynroot. (or if you
> add the name of your cell to the options string in
> /etc/pam.d/system-auth)
> 
> If FC3 comes with the 'krbafs-utils' RPM, this includes a program called
> 'afslog' which can obtain tokens as well. afslog is a Kerberos 4
> program, though, so in order to get it to work you need to ensure:
> 
> 	- /etc/krb.conf has the correct information for your realm name -
> 	Kerberos 4 is enabled on your KDC
> 	- you have obtained Kerberos 4 tickets before running afslog
> 	  (which is generally the default for kinit)
> 
> 
> If you look in the source RPM for pam_krb5, you will find another
> program called 'afs5log' which is a version of aklog written by Red Hat.
> If you rebuild the pam_krb5 source RPM, inside the BUILD directory you
> will find an afs5log binary. This should work, and is Kerberos 5 native.
> 
> 
> Regarding compiling aklog to work with openafs, you will need some
> patches to get it working with openafs 1.3 and MIT krb5-1.3. I got this
> all to compile as part of my OpenAFS RPMs for Red Hat Enterprise Linux
> 4.
> 
> 
> You can find the patches to afs-krb5 here:
> 
> 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/
> 
> 
> If all you want to do is compile aklog, I believe you should be able to
> do it with the following patches:
> 
> 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-64bit.patch
> 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-res_search.patch
> 	(these two patches are needed to build on x86_64 at least)
> 
> 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-com_err.patch
> 
> 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-krb524.patch
> 
> 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-openafs1.3.patch
> 
> 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-warnings.patch
> 
> 
> Apply these patches to afs-krb5, and then build as:
> 
> 	cd src
> 	autoreconf
> 
> 	./configure --prefix=/usr --with-krb5=/usr/kerberos
> 	--with-afs=/usr/include
> 
> (assuming that you installed the development headers and libraries from
> openafs in /usr/include)
> 
> 
> 
> Alternatively, you could just attempt to rebuild the entire OpenAFS RPM
> under FC3. I would guess that the changes between RHEL4 and FC3 are
> minor enough that it shouldn't be a big deal.
> 
> The source RPM is here:
> 
> 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SRPMS/openafs-1.3.81-rhel4.0.src.rpm
> 
> 
> -Chris Wing
> wingc@engin.umich.edu