[OpenAFS] Authentication

[David J. M. Karlsen]

Derek Atkins wrote:

>>>You will need to configure your KDC, configure your AFS key, and
>>>then add principals to the KDC and the AFS PTServer.  The AFS
>>>scripts should walk you through most of this.
>>>
>>Hmm, they require me to set up all this first. I can get the kerberos 
>>stuff up - but I'll need some more modules to map the authentication 
>>over to AFS, right? So I'm wondering which modules will do this? 
>>(filenames - not package names).
>>
>
>No, not particularly -- AFS uses Kerberos authentication.  So, you'll
>need to be running Kerberos, and krb524d, but that's it.  The Debian
>
OK - kerberos works (ie - I can telnet in - using the kerberos password. 
afterwords I do a klist - and the token is there:


Trying 192.168.1.211...
Connected to test.hjemmenett.
Escape character is '^]'.
Debian GNU/%s 2.2 %h

*** Connection not encrypted! Communication may be eavesdropped. ***


Linux 2.4.17 (test) (ttyp0)


User not authenticated. Using plaintext username and password
login: root
Password:
Login incorrect.
login: root
Password:
test:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: root@HJEMMENETT

  Issued           Expires          Principal
Jan  6 20:35:13  Jan  7 06:35:13  krbtgt/HJEMMENETT@HJEMMENETT


>openafs packages (openafs-krb5?) should give you aklog, which will
>
it's for MIT kerberos - I'm running heimdal. The MIT that's in debians 
stable is kerberos4 - I want to run 5 as there are securityproblems with 
v4. the openafs-krb5 package is only in testing, and, as said, for MIT. 
I just sent a mail to Sam asking for some help and hints.

>give you an AFS token from a Kerberos TGT.  Or you can use the PAM
>modules that will do it for you (I don't remember offhand what Sam
>packages).
>
>>Maybe you have some configfiles you could provide us with?
>>
>I don't use Debian, personally.  Sorry.  Nothing to give you.
>
The config doesn't depend esp. on debian. But'll await some help from 
Sam - he should know it :)