[OpenAFS] MIT Kerberos V authentication with OpenAFS

Neulinger, Nathan nneul@umr.edu
Wed, 6 Mar 2002 15:42:58 -0600 

I despise pam with a passion, so I'm the wrong person to ask. For our
environment, we just replace all of the login/telnet/ftp/etc. tools with
kerberos equivalents.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Derek T. Yarnell [mailto:derek@cs.umd.edu]=20
> Sent: Wednesday, March 06, 2002 3:41 PM
> To: Neulinger, Nathan
> Cc: Holger Brueckner; openafs-info@openafs.org
> Subject: Re: [OpenAFS] MIT Kerberos V authentication with OpenAFS
>=20
>=20
> The question I have for people on this list that are using=20
> Krb5 for openafs
> and solaris. What versions / compile options / pam modules=20
> are you using in
> conjunction to get ssh krb5 tickets. I am not worried about=20
> afs tokens because
> I can get that to work. But I am having real troubles getting=20
> pam to get the
> right krb5 tickets. I have gotten with the shipped solaris 8=20
> pam_krb5 module to
> log into the console with the appropriate ticket and such.=20
> But ssh does not want
> to do it. Anyone doing this? If so might I pick your brain on=20
> a few things?
>=20
> On Wed, Mar 06, 2002 at 11:25:12AM -0600, Neulinger, Nathan wrote:
> > Basicaly, you just point your krb5 clients at the ADS DC,=20
> add a afs@CELL
> > principle to the DC, extract it to a keytab, copy that keytab and a
> > KeyFile to someplace you want to run your krb524d service.=20
> You then run
> > aklog on the clients to cause them to get a afs tokens after getting
> > krb5 tickets.=20
> >=20
> > Shouldn't need much special in krb5.conf. But I run with:
> >=20
> > [libdefaults]
> >         default_realm =3D UMR.EDU
> >         default_tgs_enctypes =3D des-cbc-crc
> >         default_tkt_enctypes =3D des-cbc-crc
> >=20
> > [realms]
> >         UMR.EDU =3D {
> >                 kdc =3D kdc.umr.edu
> >                 admin_server =3D kdc.umr.edu
> >                 default_domain =3D umr.edu
> >                 krb524_server =3D krb524.umr.edu
> >         }
> >=20
> > [domain_realm]
> >         .umr.edu =3D UMR.EDU
> >         umr.edu =3D UMR.EDU
> >=20
> > [logging]
> >         default =3D SYSLOG:INFO:DAEMON
> >=20
> > [appdefaults]
> >         autologin =3D true
> >         forward =3D true
> >         forwardable =3D true
> >         krb4_get_tickets =3D false
> >         krb4_convert =3D false
> >         krb5_run_aklog =3D true
> >         krb5_aklog_path =3D /home/local/krb5/bin/aklog
> >         check_quota =3D false
> >         retain_ccache =3D false
> >         afs_retain_token =3D false
> >         encrypt =3D true
> >         forceencrypt =3D false
> >         default_lifetime =3D "200d"
> >        =20
> >         UMR.EDU =3D {
> >                 afs_retain_token =3D true
> >         }
> >=20
> >         xdm =3D {
> >                 afs_retain_token =3D false
> >         }
> >=20
> >         ftpd =3D {
> >                 afs_retain_token =3D false
> >         }
> >=20
> > -- Nathan
> >=20
> > ------------------------------------------------------------
> > Nathan Neulinger                       EMail:  nneul@umr.edu
> > University of Missouri - Rolla         Phone: (573) 341-4841
> > Computing Services                       Fax: (573) 341-4216
> >=20
> >=20
> > > -----Original Message-----
> > > From: Holger Brueckner [mailto:lists@net-labs.de]=20
> > > Sent: Wednesday, March 06, 2002 11:15 AM
> > > To: Neulinger, Nathan
> > > Subject: RE: [OpenAFS] MIT Kerberos V authentication with OpenAFS
> > >=20
> > >=20
> > > On Mon, 2002-03-04 at 19:04, Neulinger, Nathan wrote:
> > > > I just set up a link to it as http://www.umr.edu/~krb5src/=20
> > > but I'm not
> > > > making any promises as to how long that will remain available.
> > > >=20
> > > > -- Nathan
> > >=20
> > > Hi thanks for the link ... now on to further questions ;)
> > >=20
> > > i read on the afs wiki that you are doing afs=20
> > > authentification against a
> > > w2k kdc. could you describe how that setup works ?!? this=20
> would be a
> > > good setup for a local school project here.
> > >=20
> > > i tried to setup your modified version of krb524d.=20
> straceing revealed
> > > that it got some strange paths compiled but ln is your=20
> friend ... the
> > > w2k kdc probably needs to be in mit compatibility mode. what=20
> > > do you have
> > > in krb5.conf ?!?
> > >=20
> > > thx for your help
> > >=20
> > > Holger=20
> > > =20
> > >=20
> > >=20
> > >=20
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >=20
>=20
> --=20
> ---
> Derek T. Yarnell
> University of Maryland
> Computer Science Department Unix Staff
> derek@cs.umd.edu
>=20