[OpenAFS] Help with new OpenAFS/Kerberos install.

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 16 Nov 2004 01:02:23 -0500


On Monday, November 08, 2004 11:19:41 -0800 Martin Wehner 
<martin@cyclotomic.com> wrote:

> What does not work:
> I would like for pam_krb5afs.so to obtain a token for AFS during login.
> Currently, I get an error message saying that while a cell-name was
> specified, it appears that AFS is not running ("cells specified but AFS
> not running"). A similar message appears when I run afslog from the
> heimdal code after I log into the local workstation.

Hm.  I thought heimdal-0.6.2 was new enough, but perhaps not.
Recent versions of OpenAFS support an alternate user/kernel interface
in addition to the traditional syscall.  While the inability to locate 
sys_call_table is normal for 2.6 kernels, one of the side effects is that 
you must use the new interface, as the old one is no longer available. 
Unfortunately, it seems that your heimdal must be too old to know about the 
new interface. :-(

> Questions:
> (1) Is it possible for OpenAFS to use Kerberos 5 tickets obtained from
> the heimdal kdc directly to authenticate to the AFS server?

I'm not sure what you mean by "directly".  OpenAFS supports Kerberos v5 
tickets, but they must be stored into the kernel token cache (ktc) so they 
are available to the cache manager.  This is what afslog does, and part of 
what the PAM module does.

There are essentially three ways to get tokens to store in the ktc:

(a) Get a Kerberos v4 ticket and give it to the cache manager.
    This is what krb4-aware versions of aklog and afslog do.  It is
    also what klog does, though in that case the ticket is obtained
    using the kaserver protocol rather than Kerberos.

(b) Get a Kerberos v5 ticket, and convert it to the form needed by
    the cache manager.  Some krb-aware versions of aklog and afslog
    may use this approach.

(c) Get a Kerberos v5 ticket, send it to krb524d for translation to
    a Kerberos v4 ticket, and give that to the cache manager.  This
    is the approach taken by many krb5-aware versions of afslog.
    Note that the krb524 service may return an actual krb4 ticket,
    or it may return a krb5 ticket inside a special wrapper.

In case (a), you are using krb4.
In case (b), you are using krb5.
In case (c), what you are using depends on what krb524d does.



> (2) Do I need to install kth-krb (or another Kerberos 4 installation) on
> any of the servers/workstations? I.e. is it necessary to have support
> for Kerberos 4 to make this happen?

No.

> (3) If it is not necessary to install kth-krb, how do I get
> pam_krb5afs.so to compile? It appears that it requires krb4 libraries to
> build. Are there other alternatives to get AFS tokens immediately during
> login?

I'm not sure where your pam_krb5afs is coming from, or what libraries it 
expects to use.  It may be attempting to do AFS operations itself, or it 
may be using the libkafs library provided with heimdal.  In the latter 
case, if heimdal is not built with krb4 support, then libkafs should not 
need it either.


> (4) Is it possible to run the AFS server processes and the kdc on two
> different servers?

Yes.

> If yes, what do I need to set up for the different
> pieces to inter-operate? Do I need to run a slave kdc on the AFS server?

No.  You don't need to do anything special.

AFS is a Kerberos-authenticated service, so its service principal will need 
to be registered in the Kerberos database, with the same key configured on 
the AFS servers.  I believe heimdal comes with tools that make it easy to 
generate a key file in the format that AFS requires.  Note that AFS servers 
support only the des-cbc-crc, des-cbc-md4, and des-cbc-md5 enctypes, so you 
will need to make sure that the AFS service principal has keys only for 
those enctypes.


> (5) If I am able to use Kerberos 5 tickets as tokens, do I need to
> enable krb524?

That depends on what your aklog/afslog does.  If it converts the ticket 
locally, you don't need a krb524 service.  However, I believe most verisons 
currently distributed do require this service, for various reasons.


> (6) What files need to be set up on the different servers/workstations?
> I use krb5.conf on the workstation to find the KDC, I use krb5.conf on
> the server to configure the KDC, I use ThisCell/CellServDB on the AFS
> server to provide information about the OpenAFS server. Do I need to set
> up ThisCell/CellServDB on the workstation as well so that it knows how
> to locate the OpenAFS server?

Yes.  Or, you can use dynroot mode and afsdb support, and publish AFSDB 
records for your cell in the DNS (see RFC1183).

> Observations:
> I looked into the problem with the sys_call_table issue on the

It's a known issue, somewhat too complex to go into here.
Suffice it to say that the message is actually the result of something that 
happens at configure time, because of a series of tests that we can no 
longer do against Linux 2.6.


> ... It then failed reporting a
> problem with a pioctl (sorry, I don't have the exact message handy).

This is definitely the new-vs-old kernel interface problem.  The Debian 
packages do not contain code new enough to support the new interface.


> Problem with SSL: Wherever possible, I used openssl-0.9.7d to compile
> the software packages. For kth-krb, I had to compile without OpenSSL.

I can't help you with that -- ask on the kth-krb list.


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA