[OpenAFS] Kerberos 5, AFS, and no krb524d

Nathan Neulinger nneul@umr.edu
Mon, 9 Jun 2003 15:18:09 -0500


I take that back, it did get committed, but it is ifdef-notdef'd.

-- Nathan

On Mon, Jun 09, 2003 at 03:14:25PM -0500, Nathan 
Neulinger wrote:
> At one point a while back I wrote code to support krb5 syntax, but didn't get it 
> committed at the time since Derrick wanted to hold off.
> 
> -- Nathan
> 
> On Mon, Jun 09, 2003 at 03:29:28PM -0400, Derek Atkins wrote:
> > Oh!  How silly of me.  AFS uses krb4 naming schemes, not krb5 naming
> > schemes.  This means that your krb5 principal
> > afsadmin/roughneck.liniac.upenn.edu needs to be interted into your
> > PTS and BOS UserList as a krb4 name:
> > 
> >         afsadmin.roughneck.liniac.upenn.edu
> > 
> > And you need the apprpriate quoting around the embedded periods
> > in the name (probably afsadmin.roughneck\.liniac\.upenn\.edu)
> > 
> > -derek
> > 
> > Nicholas Henke <henken@seas.upenn.edu> writes:
> > 
> > > On Mon, 2003-06-09 at 14:19, Douglas E. Engert wrote:
> > > > Nicholas Henke wrote:
> > > > > 
> > > > > On Mon, 2003-06-09 at 11:59, Douglas E. Engert wrote:
> > > > > > I think you are asking if the ak5log I have can run with the standard
> > > > > > Kerberos krb524 lib and krb524d.
> > > > > 
> > > > > Sorry for the confusion -- yes that is what I was asking.
> > > > > I have gotten ak5log to compile and run -- and it appears to be
> > > > > succeeding.
> > > > 
> > > > Was this with afs/<cell>@<realm> or with afsx/<cell>@<realm>?
> > > 
> > > afs/roughneck.liniac.upenn.edu@UPENN.EDU -- note that this works for
> > > aklog as well as your ak5log. 
> > > > 
> > > > Is this just an admin problem? 
> > > > 
> > > > Does it work with an ordinary user?
> > > 
> > > I am not sure -- I have not been able to even setup the toplevel of the
> > > /afs space. So far it is just an admin problem.
> > > 
> > > > 
> > > > You are trying to use a multipart user name, which might be making it harder. 
> > > > If you had a principal like henkeadmin@<realm> and gave the AFS user henkeadmin
> > > > all privilages and listed it in /usr/afs/etc/UserList, I think that would work.
> > > > (Each of our AFS admins has his own account so we dont have a shared afsadmin.)
> > > 
> > > This would just include the membership in system:administrators and bos
> > > adduser ? I have done this for my regular username:
> > > 
> > > [root@roughneck etc]# bos adduser roughneck.liniac.upenn.edu henken
> > > -cell roughneck.liniac.upenn.edu -noauth
> > > 
> > > [root@roughneck etc]# pts createuser -name henken -cell
> > > roughneck.liniac.upenn.edu -noauth
> > > User henken has id 2
> > > 
> > > [root@roughneck etc]# pts adduser henken system:administrators -cell
> > > roughneck.liniac.upenn.edu -noauth
> > > 
> > > [root@roughneck etc]# pts membership henken
> > > libprot: a pioctl failed Could not get afs tokens, running
> > > unauthenticated.
> > > Groups henken (id: 2) is a member of:
> > >   system:administrators
> > > 
> > > After this I stop the running bosserver -noauth, kill it and start afs.
> > > 
> > > enken@roughneck henken $ klist
> > > Ticket cache: FILE:/tmp/krb5cc_27659
> > > Default principal: henken@UPENN.EDU
> > > 
> > > Valid starting     Expires            Service principal
> > > 06/09/03 14:26:30  06/10/03 00:26:27  krbtgt/UPENN.EDU@UPENN.EDU
> > > 
> > > 
> > > Kerberos 4 ticket cache: /tmp/tkt27659
> > > klist: You have no tickets cached
> > > henken@roughneck henken $ aklog -d
> > > Authenticating to cell roughneck.liniac.upenn.edu (server
> > > roughneck.liniac.upenn.edu).
> > > We've deduced that we need to authenticate to realm UPENN.EDU.
> > > Getting tickets: afs/roughneck.liniac.upenn.edu@UPENN.EDU
> > > About to resolve name henken to id in cell roughneck.liniac.upenn.edu.
> > > Id 2
> > > Set username to AFS ID 2
> > > Setting tokens. AFS ID 2 /  @ UPENN.EDU
> > > 
> > > 
> > > henken@roughneck henken $ bos listusers roughneck.liniac.upenn.edu
> > > SUsers are: afsadmin.roughneck.liniac.upenn.edu henken
> > > 
> > > henken@roughneck henken $ bos listkeys roughneck.liniac.upenn.edu
> > > bos: you are not authorized for this operation error encountered while
> > > listing keys
> > > 
> > > > 
> > > > If you must use the multpart name, I don't think it gets converted
> > > > like you might want. The krb524d appears to eventially call the 
> > > > krb5_524_conv_principal routine, and I don't see afsadmin listed. 
> > > 
> > > What other information can I provide ? It seems like I get the same
> > > errors regardless of the use of ak5log over aklog or vice-versa. They
> > > seem to be hitting the same problem.
> > > 
> > > Nic
> > > -- 
> > > Nicholas Henke
> > > Penguin Herder & Linux Cluster System Programmer
> > > Liniac Project - Univ. of Pennsylvania
> > > 
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > 
> > -- 
> >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >        Member, MIT Student Information Processing Board  (SIPB)
> >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >        warlord@MIT.EDU                        PGP key available
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul@umr.edu
> University of Missouri - Rolla         Phone: (573) 341-4841
> Computing Services                       Fax: (573) 341-4216
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216