[OpenAFS] AFS client on AIX: is there hope?

Christopher D. Clausen cclausen@acm.org
Wed, 20 Apr 2005 13:32:35 -0500 

>From "Franco "Sensei"" <senseiwa@tin.it>
> Hi, still trying to have my AIX 5.2 get on my cell!
>
> My situation (again). Kerberos KDC, OpenAFS, OpenLDAP on debian 
> stable.
> Kerberos authenticates, LDAP gives home informations along with 
> GID/UID
> (*flat* database: "uid=username, objectClass=top,
> objectClass=posixAccount..."), at last, I convert the ticket in afs
> token and the session begins.

I'm using Solaris for my servers, two are Solaris 10 running 1.3.80 and 
one is still Solaris 9 running 1.2.13.

I'm using NIS for account information.

> What I've succeeded to do? Kerberos can kinit, ktutil and kadmin.
> OpenAFS mounts my cell correctly, but I can't access to it since I 
> don't
> have the tokens. Perfect.

Which Kerberos are you using?

I compiled and am using MIT Kerberos 1.3.1 or possibly 1.3.6, not sure 
exactly.

I thought someone had previously mentioned a pure Kerberos 5 aklog 
available somewhere, but I haven't yet tried to compile it on AIX nor do 
I remember where it is available from.

> Now how do I make this work under AIX? How to convert tickets in 
> tokens?
> How to use LDAP for user info? I've contacted aix newsgoups but 
> nothing.
> They use aix just server-side.

I just downloaded and compiled gssklog on AIX:
ftp://achilles.ctd.anl.gov/pub/DEE/

Of course, this requires gssklogd running on your AFS servers, but this 
was an acceptable alternative for us since we also use gssklog from our 
Windows 2003 machines.

> Has anyone an AIX machine being a client of afs & kerberos?

I have an AIX 5.1 and 5.2 machine with AFS and Kerberos working quite 
well.  Only issue is that users do not automatically aquire tokens at 
login.  They simply run gssklog to obtain tokens.  This is acceptable in 
my environment.  You might be able to get a pam_run or similar module to 
run an aklog or gssklog at login on AIX 5.2.  (AIX 5.1 has no real PAM.) 
Is this the only problem you are having?

There was a recent post about afs_dynamic_kerbauth working in 1.3.80 but 
I still run 1.2.13 on my AIX machines.  Can someone confirm that it does 
indeed work against a Kereberos 5 KDC?  afs_dynamic_kerbauth does NOT 
appear to work against a Kerberos 5 KDC in the 1.2.13 version, although 
I will re-test if someone believes it does.

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin