[OpenAFS] AFS + Kerberos 5

Sergio Gelato Sergio.Gelato@astro.su.se
Mon, 22 Mar 2004 18:43:17 +0100 

* Padiyath Sreekumaran [2004-03-22 16:33:43 +0100]:
>     I know this is an Openafs mailing list. I also know that there are
>     many AFS experts in this list. I have a question regarding the
>     kerberos5 + AFS on Tru64 with OS 5.1a. I have installed IBM
>     AFS client SW on our Tru64 machines which works without problem.
>     But we are planning  to move to Kerberos 5. I have compiled Kerberos 5 
>     and installed.
>     so that I can execute kinit and aklog to get tokens. But I noticed that 
>     now I am getting twice
>     the password prompt when I try to login.  I want to combine aklog
>     with the password. I found a Kerberos 5 Tru64 SIA plugin on the net.
>     So I could create a library(libsiakrb5.so) and added to matrix.conf.

You may want to take a look at Heimdal's combined Kerberos 5 + AFS SIA
module. You'll want to patch it to use krb5_afslog() rather than krb_afslog(),
but that's a very easy task. I've done it and can send you the patches.
(I should check whether they've been integrated upstream. Maybe they have.)

There are some interoperability issues between Heimdal's SIA module and
OpenSSH. I had patches against OpenSSH 3.7*p* but with 3.8p1 I found that
it was simpler to build OpenSSH --without-osfsia and rely on the built-in
KerberosAuthentication and KerberosGetAFSToken support. (I have a patch
to make the GetAFSToken support also work with GSSAPI delegated TGTs.)

As to what Heimdal version to use, I'd recommend a recent snapshot,
possibly on the 0.6 branch (that will become 0.6.1), particularly if
you're going to let both MIT and Heimdal libraries manipulate the same
credentials caches. An incompatibility was recently fixed that matters
on Alpha.

>     This helps me not to execute kinit command explicitly. When 
>     I login now I get permission errors for my HOME directory since I have
>     not yet executed the aklog command. I have to still execute
>     aklog to have access to my HOME directory. I get the following message
>     when I login:
> 
>     No directory!
>     Logging in with home = "/".
>     Compaq Tru64 UNIX V5.1A (Rev. 1885); Tue Aug 19 10:31:15 MEST 2003
>    
>     Any idea where I have to make changes inorder to get tokens during
> login? So I donot get the previous error message. If I execute aklog
> explicitly after logging I have access to my home directory.