[OpenAFS] afs krb5 migration
Martin Schulz
schulz@iwrmm.math.uni-karlsruhe.de
23 Apr 2001 15:33:06 +0200
Hello,
Sorry to follow up myself.
Martin Schulz <schulz@iwrmm.math.uni-karlsruhe.de> writes:
> Furthermore, I observed that the afs principal has only two keys in
> kerberos, whereas usual user have four of them:
>
> AFS:
> Key: vno 2, DES cbc mode with CRC-32, no salt
> Key: vno 2, Triple DES cbc mode raw, no salt
>
> myself:
> Key: vno 2, DES cbc mode with CRC-32, no salt
> Key: vno 2, Triple DES cbc mode raw, no salt
> Key: vno 2, DES cbc mode with CRC-32, Version 4
> Key: vno 2, DES cbc mode with CRC-32, AFS version 3
>
> Is that supposed to be that way?
Obviously not. Forrest Whitcher gave me the hint to add the option "-e
des-cbc-crc:afs3" as a parameter in the "kadmin ktadd" command and
proceed as described in the migration kit readme. Then it worked.
I suppose there is a bug in the ktadd command that prevent it from
obeying the kdc.conf configurations so that no afs-aware keys are
generated.
Ken, could you please comment on that and eventually merge it into the
migration kit readme?
Now, the next steps are to get AFS integrated into the user
environment. On linux, I have similar difficulties to get aklog
compiled as on solaris.
However, I discovered (on RH 7.0) the krbafs and krbafs-utils packages
which provide among other things an afslog program which claims to do
approximately the same as aklog. It doesn't seem to work for me. Any
suggestions?
(Details: strace shows it indeed reads the krb5.conf but only the
tkt500 file and not the appropriate krb5cc_500_*.file; it furthermore
is not able to determine the cell and the realm by itself. Need to use
the -c/-k options respectively)
Furthermore, in the pam_krb5 package, there is a pam_krb5afs module,
which get used after the appropriate use of auth-config. As I can read
in the syslog, it let me authenticate, but I do not get the afs
tokens, as I expected.
Such a module is in my opinion "The Right Thing (TM)", so that each user
automatically gets his credentials right from the start when logging
in. This could very well avoid much confusion about files not yet
reachable during the login process.
Has anybody through this before?
--
Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe