[OpenAFS] MIT Kerberos V authentication with OpenAFS
Derek T. Yarnell
derek@cs.umd.edu
Wed, 6 Mar 2002 16:40:59 -0500
The question I have for people on this list that are using Krb5 for openafs
and solaris. What versions / compile options / pam modules are you using in
conjunction to get ssh krb5 tickets. I am not worried about afs tokens because
I can get that to work. But I am having real troubles getting pam to get the
right krb5 tickets. I have gotten with the shipped solaris 8 pam_krb5 module to
log into the console with the appropriate ticket and such. But ssh does not want
to do it. Anyone doing this? If so might I pick your brain on a few things?
On Wed, Mar 06, 2002 at 11:25:12AM -0600, Neulinger, Nathan wrote:
> Basicaly, you just point your krb5 clients at the ADS DC, add a afs@CELL
> principle to the DC, extract it to a keytab, copy that keytab and a
> KeyFile to someplace you want to run your krb524d service. You then run
> aklog on the clients to cause them to get a afs tokens after getting
> krb5 tickets.
>
> Shouldn't need much special in krb5.conf. But I run with:
>
> [libdefaults]
> default_realm = UMR.EDU
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
>
> [realms]
> UMR.EDU = {
> kdc = kdc.umr.edu
> admin_server = kdc.umr.edu
> default_domain = umr.edu
> krb524_server = krb524.umr.edu
> }
>
> [domain_realm]
> .umr.edu = UMR.EDU
> umr.edu = UMR.EDU
>
> [logging]
> default = SYSLOG:INFO:DAEMON
>
> [appdefaults]
> autologin = true
> forward = true
> forwardable = true
> krb4_get_tickets = false
> krb4_convert = false
> krb5_run_aklog = true
> krb5_aklog_path = /home/local/krb5/bin/aklog
> check_quota = false
> retain_ccache = false
> afs_retain_token = false
> encrypt = true
> forceencrypt = false
> default_lifetime = "200d"
>
> UMR.EDU = {
> afs_retain_token = true
> }
>
> xdm = {
> afs_retain_token = false
> }
>
> ftpd = {
> afs_retain_token = false
> }
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: nneul@umr.edu
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
>
>
> > -----Original Message-----
> > From: Holger Brueckner [mailto:lists@net-labs.de]
> > Sent: Wednesday, March 06, 2002 11:15 AM
> > To: Neulinger, Nathan
> > Subject: RE: [OpenAFS] MIT Kerberos V authentication with OpenAFS
> >
> >
> > On Mon, 2002-03-04 at 19:04, Neulinger, Nathan wrote:
> > > I just set up a link to it as http://www.umr.edu/~krb5src/
> > but I'm not
> > > making any promises as to how long that will remain available.
> > >
> > > -- Nathan
> >
> > Hi thanks for the link ... now on to further questions ;)
> >
> > i read on the afs wiki that you are doing afs
> > authentification against a
> > w2k kdc. could you describe how that setup works ?!? this would be a
> > good setup for a local school project here.
> >
> > i tried to setup your modified version of krb524d. straceing revealed
> > that it got some strange paths compiled but ln is your friend ... the
> > w2k kdc probably needs to be in mit compatibility mode. what
> > do you have
> > in krb5.conf ?!?
> >
> > thx for your help
> >
> > Holger
> >
> >
> >
> >
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu