[OpenAFS] Kerberos with AFS

Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
22 May 2001 15:17:57 +0200

Derrick J Brashear <shadow@dementia.org> writes:

> Someone want to work on such a document?

I dont really have much time at the moment, but I nevertheless
would like to share my experiences.  So here is my part:

> > 1. Why to use Kerberos with AFS? 
> Kerberos v5 is a standards-track, multiply-implemented, cross platform
> system with generic usefulness. AFS authentication is not.

AFS was designed to be used with some kerberos kdc. It comes with its
own implementation of a kerberos 4 Server (kaserver), but you could
use another one, like MIT kerberos 5.

> > 2. Why not to use AFS for authentication?
> If it's AFS or Kerberos v4, use AFS. The actual answer to this depends who
> you ask, and what you mean.

Under ususal circumstances, it is not advisable to do a fresh install
of an older version program. Kerberos 5 has certain security
improvements (such as using the realm as salt for encryption).

Furthermore, most other kerberos aware services work well with krb5
(e.g. lprng manpage mentions kerberos 5 but not kerberos 4, does it
work nevertheless?).

You can use krb4 clients with krb5 servers, but not krb5 clients with
krb4 server. That is, if you have any service requiring krb5, you are
forced to use krb5.

However, currently, it is rather painfull to install afs with krb5 (at
least it was in my case, and the posts on this list second this) so it
really is to be considered if you want to take that track. 

I personally dream of afs as "yet another krb5-kerberized service".  

> > 3. What is the principle of operation of an integrated krb5/afs
> > installation?
> Treat it like a Kerberos realm, except it will have a key for
> afs/cell.name or afs which is put in the KeyFiles of all your AFS servers

Oooh, what a question...

> > 4. What implementation of Kerberos to use (Heimdal/MIT/W2K)? What's the
> > difference?
> Which one depends who you ask and what your requirements are. The only
> reason to use the Win2K one would be if you were using Active Directory
> and the like, IMO.
> > 5. What is aklog/afslog ? Where are they derived from and what do they do?
> Program which uses your Kerberos ticket granting ticket to get a service
> ticket for AFS, convert it to a token, and stuff it into your client's
> kernel so AFS knows you have authentication.
> > 6. What is the krbafs library?
> A library to ease getting an AFS ticket and converting it to a token
> > 7. What special configuration, maybe patches does kerberos need for AFS
> > integration? (key types...)
> Patches: with modern MIT or Heimdal, none. The rest depends if you're
> converting from an old kaserver database or starting a new cell. If you're
> starting a new cell, merely supporting v4-salted keys is sufficient; If
> you're converting an old database you'll need to configure to use afs3
> salted keys with an appropriate cell name.

See the post of me and Forrest Whitcher about the key problematic. 

Mention that the krb principal "host/name.of.machine.domain" get
translated to the afs principal "rcmd.name". 

> > 8. Then what is the klog.krb coming with afs?
> Writes out a kerberos v4 tgt in addition to a token
> > 9. There is a PAM module pam_krb5afs.so. What does it do then?

It gets a krb5 ticket, create a credential cache and put that ticket
in. Furthermore it should get an afs token and stuff it into the
kernel (This second part does not yet work for me, therefore, I write
"it should")

Its configuration is in pam section of the krb5.conf file:

 debug = true
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = true
 afs_cells = your.afs.domain

Since my afs runs on a different machine than the kerberos,
the failure is probably due to the fact that the module does not know
where to get the afs tickets from. Aklog however knows this. 
Therefore, as a workaround I have put a 

session     optional      /lib/security/pam_run.so -o /usr/local/bin/run_aklog

at the end of the pam stack. 

> > 10. How do I integrate all these with PAM?
> Very carefully, and sometimes not at all, depending on how you stack the
> PAM modules you can easily screw yourself. The problem begins when an
> earlier "success" short-circuits the process and AFS modules don't get
> called at all. However, depending what you want to do there are different
> approaches which are "correct".

One approach: 

auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5 shadow
auth        sufficient    /lib/security/pam_krb5afs.so use_first_pass tokens
auth        required      /lib/security/pam_deny.so

First line lets through all locally authenticated users, without
touching anything about afs. This is mostly used for local root.

Second line lets through all users authenticated by kerberos and gives
(should do so) the user an afs token. 

Third line rejects all login requests not successfull so far. 

> > 11. How to build openssh to forward both krb5 and afs tickets?
> I don't know the answer to this, but I think right now the answer is "you
> can't" 

I had the same problem. There are patches on 


by Simon Wilkinson <sxw@sxw.org.uk>, that allow to forward kerberos
tickets. Don't know about afs tokens yet.

> > 12. How does the krb5 ftp, telnet can support afs? (ftp-ing in an afs home
> > directory)
> The one in Heimdal calls the krbafs library. I don't think the one in MIT
> supports AFS. I may be wrong about that.

IMHO, neither telnet not ftp should be recommended; ssh would be the
better way.
> > 13. How to administer users in the integrated environment? (still need
> > pts!!!)
> Yes, you still need a pts entity per user, and to manage whatever pts
> groups you're using to do access control in your cell.

See chapter 13 of the IBM administration guide for the true "afs way"
to do it. I did not automate it up to now, so here are some
ingredients I know of so far:

kerberos - tells wether the (human) user is the one he claims to
be. It does not tracks any privileges, rights, ids or anything.
You need some entry there; use kadmin to create. 

The local machine needs some way (see quetstion 14) to know wether the
user has the privileges to log in and if so, how to associate a unix
user id to the user. This is not necessarily identical to the afs
id. Though, I would strongly prefer that setting, to avoid unessary

AFS needs a mapping from kerberos-known people to afs ids. This is
done by an entry in the pts database as well as information about the
groups the user belongs to. Use pts create to create this entry.

Furthermore a new volume for the home directory needs to be created,
set to the correct acl, set to the correct quota, chown it, fill with
a skeleton etc. Commands: vos create, fs setacl, fs setquota, fs
mkmount, chown, ...

> > 14. How to distribute the user/group information (nss_ldap, radius and other
> > stuff)
> This one doesn't even belong in an AFS document, pointers to other
> documents which will actually be updated is better.

There are surely many ways to do so. The afs way would be to use the
update server, as far as I understood. You even could use good ol' NIS
to do so.

Martin Schulz                             schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe