[OpenAFS] AFS client on AIX: is there hope?

Franco "Sensei" Sensei <senseiwa@tin.it>
Wed, 20 Apr 2005 14:56:53 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Christopher D. Clausen wrote:
> I'm using Solaris for my servers, two are Solaris 10 running 1.3.80 and 
> one is still Solaris 9 running 1.2.13.
> I'm using NIS for account information.

NIS, I see.

> Which Kerberos are you using?

For KDC, I have debian woody's packages, so MIT.

> I compiled and am using MIT Kerberos 1.3.1 or possibly 1.3.6, not sure 
> exactly.
> I thought someone had previously mentioned a pure Kerberos 5 aklog 
> available somewhere, but I haven't yet tried to compile it on AIX nor do 
> I remember where it is available from.

We can compile (at least I hope) aklog from sources, but the problem is 
that I don't see where to attach aklog, which has to be run before a 
session is opened.

> I just downloaded and compiled gssklog on AIX:
> ftp://achilles.ctd.anl.gov/pub/DEE/
> Of course, this requires gssklogd running on your AFS servers, but this 
> was an acceptable alternative for us since we also use gssklog from our 
> Windows 2003 machines.

Mmmh... another daemon, another port open. We can give it a try anyway. 
How can you use it on aix? I mean, how do you start gssklog in your 
config files?

> I have an AIX 5.1 and 5.2 machine with AFS and Kerberos working quite 
> well.  Only issue is that users do not automatically aquire tokens at 
> login.  They simply run gssklog to obtain tokens.  This is acceptable in 
> my environment.  You might be able to get a pam_run or similar module to 
> run an aklog or gssklog at login on AIX 5.2.  (AIX 5.1 has no real PAM.) 
> Is this the only problem you are having?

I can't use LDAP to retrieve user information. And... it's quite bad not 
having any token at login! :) Do you use ssh or a direct login?

> There was a recent post about afs_dynamic_kerbauth working in 1.3.80 but 
> I still run 1.2.13 on my AIX machines.  Can someone confirm that it does 
> indeed work against a Kereberos 5 KDC?  afs_dynamic_kerbauth does NOT 
> appear to work against a Kerberos 5 KDC in the 1.2.13 version, although 
> I will re-test if someone believes it does.

I'd be happy staying with the stable branch... If I'm right 
afs_dynamic_kerbauth works with kerberos 4, not 5... is it so?

Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>

The difference between stupidity and genius is that genius has its limits.
    Albert Einstein

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org