[OpenAFS] SuSE 9.2: anyone?

Sensei Sensei <senseiwa@tin.it>
Mon, 27 Dec 2004 17:10:49 +0100 

Ken Aaker wrote:
> On the SuSE 9.2 systems (about 5) [...]

I've found the right kernel module, and now I'm facing some problems in 
making suse authenticate over out KDCs and use the afs namespace for 
home directories.

First, the AFS client seems to support only *one* ip address. I entered 
just one and ok, it seems that the cell is working anyway --- is it 
enough the CellSrvDB? I don't know anymore!

===[/etc/sysconfig/afs-client]===
THIS_CELL_SERVER="ip.address"
THIS_CELL_SERVER_NAME="cell.name"

Now, the problem is Kerberos5 and LDAP. We have MIT K5 along with 
OpenLDAP just for uid/gid and home dirs both on debian stable (we have 
other infos of course, but none of them are important from this point of 
view). LDAP has *NO* base dn. We have gentoo, debian, knoppix and redhat 
clients all working, but no luck with suse!

I can kinit and I gain the right token. The authentication from pam and 
nss_ldap are NOT working. Anyway, I don't see anything bad in my 
configuration:

===[/etc/openldap/ldap.conf]===
base
host    dir.cell.name slave.cell.name
nss_base_passwd
nss_base_shadow
nss_base_group

===[/etc/nsswitch.conf]===
passwd: files ldap
group:  files ldap
shadow: files ldap

hosts:  files dns
networks:       files dns

services:       db files
protocols:      db files
rpc:    db files
ethers: db files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files
aliases:        files

===[/etc/pam.d/login]===
auth     requisite      pam_unix2.so            nullok #set_secrpc
auth     required       pam_krb5afs.so          use_first_pass nodelay
auth     required       pam_securetty.so
auth     required       pam_nologin.so
#auth    required       pam_homecheck.so
auth     required       pam_env.so
auth     required       pam_mail.so
account  required       pam_unix2.so
password required       pam_pwcheck.so          nullok
password required       pam_unix2.so            nullok use_first_pass
                                                 use_authtok
password required       pam_krb5afs.so
session  required       pam_unix2.so            none # debug or trace
session  required       pam_limits.so
session  required       pam_resmgr.so

===[/etc/sysconfig/ldap]===
BASE_CONFIG_DN=""
BIND_DN=""

===[/etc/krb5.conf]===
[libdefaults]
         clockskew = 300
         default_realm = CELL.NAME

[realms]
CELL.NAME = {
         kdc = krb.cell.name
         kdc = slave.cell.name
         default_domain = cell.name
         kpasswd_server = krb.cell.name
}

[domain_realm]
         .cell.name = CELL.NAME
         cell.name = CELL.NAME

[logging]
         default = SYSLOG:NOTICE:DAEMON
         kdc = FILE:/var/log/kdc.log
         kadmind = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
         ticket_lifetime = 1d
         renew_lifetime = 1d
         forwardable = true
         proxiable = false
         retain_after_close = false
         minimum_uid = 0
         debug = false
         afs_cells = cell.name
}

I get this in /var/log/messages:

Dec 27 16:25:20 plm02 -- MARK --
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: unable to determine
                                     uid/gid for user
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: authentication fails
                                     for `username'
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: pam_sm_authenticate
                                     returning 10 (User not known to the
                                     underlying authentication module)
Dec 27 16:41:50 plm02 login[15375]: FAILED LOGIN 1 FROM /dev/tty1 FOR
                                     UNKNOWN, User not known to the
                                     underlying authentication module
Dec 27 16:41:54 plm02 modprobe: FATAL: Could not load
                                 /lib/modules/2.6.8-24-default/
                                 modules.dep: No such file or directory

Anyway... I can use kerberos, afs but NOT ldap with nsswitch. LDAP is 
working CORRECTLY under GSSAPI!

plm02:/var/log # klist
klist: No ticket file: /tmp/krb5cc_0

plm02:/var/log # tokens

Tokens held by the Cache Manager:

    --End of list--

plm02:/var/log # kinit username
username@CELL.NAME's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week

plm02:/var/log # klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: username@CELL.NAME

   Issued           Expires          Principal
Dec 27 16:44:36  Dec 28 02:44:36  krbtgt/CELL.NAME@CELL.NAME
Dec 27 16:44:36  Dec 28 02:44:36  afs/cell.name@CELL.NAME
plm02:/var/log # tokens

Tokens held by the Cache Manager:

Tokens for afs@cell.name [Expires Dec 28 02:44]
    --End of list--


I can use AFS after all:


plm02:/var/log # cd /afs/cell.name/usr/u/username/private/
plm02:/afs/cell.name/usr/u/username/private/ # touch a
plm02:/afs/cell.name/usr/u/username/private/ # rm a

plm02:/afs/cell.name/usr/u/username/private/ # fs listacl .
Access list for . is
Normal rights:
   system:administrators rlidwka
   username rlidwka


But nsswitch isn't working!

plm02:/afs/cell.name/usr/u/username/private/ # groups username
id: username: No such user

plm02:/afs/cell.name/usr/u/username/private/ # ldapsearch "cn=plm"
SASL/GSSAPI authentication started
SASL username: username@CELL.NAME
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: cn=plm
# requesting: ALL
#

# plm
dn: cn=plm
objectClass: top
objectClass: posixGroup
cn: plm
gidNumber: 10002
memberUid: username
description: afs plm group

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1


You're using SuSE... so... what's going on here? :(

-- 
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
        <icqnum:241572242>
        <yahoo!:sensei_sen>
        <msn-id:sensei_sen@hotmail.com>