[OpenAFS] Help with new OpenAFS/Kerberos install.

Martin Wehner martin@cyclotomic.com
08 Nov 2004 11:19:41 -0800


I am trying to set up a new installation using OpenAFS and Kerberos and
am not having much luck making things work. Worse, I feel that I still
need help understanding the basic concepts. While this post is fairly
long, I am hoping that some of you may have time to look through this
and help me out. I'd greatly appreciate it!


Here's the desired setup:
Servers/workstations running Linux 2.6, compiled from sources obtained
from kernel.org, with no additional patches applied.

Server #1: KDC, running heimdal-0.6.2
Server #2: AFS, running OpenAFS-1.3.71
Workstation: has installs of heimdal-0.6.2, OpenAFS-1.3.71, and
pam_krb5afs.so (from pam-krb5.sf.net)

What I am trying to accomplish is this:
The user logs into the local workstation with her username/password. The
user is authenticated against the kdc. The user's home-directory will be
located on the AFS server; therefore it is necessary to obtain access to
the AFS server right away during login.

>From reading the list archives, it appears that OpenAFS may support
authentication using Kerberos 5 tickets directly. That would be just
fine with me.

Here's what I have accomplished so far:
The KDC is running well and authenticates users logging into the local
workstation. The local workstation obtains tickets for the KDC.
The AFS server is running well.
The workstation can start the afsd to mount the AFS file-system. During
start-up of the afsd, a message is logged in the syslog, saying: "Failed
to find address of sys_call_table". However, if I run the kaserver on
server afs, I am able to use the local klog to obtain a token for AFS. I
am then able to access the AFS file-system mounted on the local
workstation.
At this point, I have installed kth-krb on the workstation and the kdc.
This was done so that I would be able to build pam_krb5afs.so. When I
kinit to the kdc, I am able to obtain V4 tickets.

What does not work:
I would like for pam_krb5afs.so to obtain a token for AFS during login.
Currently, I get an error message saying that while a cell-name was
specified, it appears that AFS is not running ("cells specified but AFS
not running"). A similar message appears when I run afslog from the
heimdal code after I log into the local workstation.

Questions:
(1) Is it possible for OpenAFS to use Kerberos 5 tickets obtained from
the heimdal kdc directly to authenticate to the AFS server?
(2) Do I need to install kth-krb (or another Kerberos 4 installation) on
any of the servers/workstations? I.e. is it necessary to have support
for Kerberos 4 to make this happen?
(3) If it is not necessary to install kth-krb, how do I get
pam_krb5afs.so to compile? It appears that it requires krb4 libraries to
build. Are there other alternatives to get AFS tokens immediately during
login?
(4) Is it possible to run the AFS server processes and the kdc on two
different servers? If yes, what do I need to set up for the different
pieces to inter-operate? Do I need to run a slave kdc on the AFS server?
(5) If I am able to use Kerberos 5 tickets as tokens, do I need to
enable krb524?
(6) What files need to be set up on the different servers/workstations?
I use krb5.conf on the workstation to find the KDC, I use krb5.conf on
the server to configure the KDC, I use ThisCell/CellServDB on the AFS
server to provide information about the OpenAFS server. Do I need to set
up ThisCell/CellServDB on the workstation as well so that it knows how
to locate the OpenAFS server?

Observations:
I looked into the problem with the sys_call_table issue on the
workstation.
Here's what I've found:
cat /proc/kallsyms | grep sys_call_table
cea19858 b sys_call_table       [libafs]

nm libafs-2.6.8.1.ko | grep sys_call_table
0000a658 b sys_call_table

At a previous point, I had installed aklog on the workstation from
Debian packages. When I had logged into the workstation and obtained a
ticket from the KDC, I ran aklog -d. It showed that the UID for the user
was resolved properly to a numeric ID. It then failed reporting a
problem with a pioctl (sorry, I don't have the exact message handy).

I looked through the source-code of the various packages. It appears
that the error message reported by pam_krb5afs.so about AFS not running
on the workstation is a result of k_hasafs returning in the negative.

Problem with SSL: Wherever possible, I used openssl-0.9.7d to compile
the software packages. For kth-krb, I had to compile without OpenSSL.


OK, well, if you are still with me at this point: Thank you for reading
through all of this!
I'm hoping I've provided enough information about my setup and where I'd
like to go.
I'd greatly appreciate help with these issues.

Thank you in advance!

-- 
Martin Wehner (martin@cyclotomic.com)

Cyclotomic, Inc.
Software done right
http://www.cyclotomic.com
--