[OpenAFS] AFS client on AIX: is there hope?
Christopher D. Clausen
Wed, 20 Apr 2005 16:58:21 -0500
From: "Franco "Sensei"" <firstname.lastname@example.org>
> Christopher D. Clausen wrote:
> We can compile (at least I hope) aklog from sources, but the problem
> that I don't see where to attach aklog, which has to be run before a
> session is opened.
Just for the sake of testing it, does
http://afs.caspur.it/afs/italia/project/ssh/ work for you, getting
tokens at login?
>> I just downloaded and compiled gssklog on AIX:
>> Of course, this requires gssklogd running on your AFS servers, but
>> was an acceptable alternative for us since we also use gssklog from
>> Windows 2003 machines.
> Mmmh... another daemon, another port open. We can give it a try
> How can you use it on aix? I mean, how do you start gssklog in your
> config files?
Right now I just type in gssklog as the first thing I run after logging
on. For instance:
Using username "cclausen".
I have my home directory setup to let all my login scripts run fine even
if I don't have AFS tokens at login: /afs/acm.uiuc.edu/user/cclausen is
system:anyuser l and ~/Public is system:anyuser rl. I have symlinks
from ~/ to ~/Public for various files to not depend on tokens for my
scripts to run. Depending on the shells you use, you might be able to
fake tokens by running gssklog or aklog directly from /etc/profile or
whatever global config your shells use or from each user's dotfiles.
> I can't use LDAP to retrieve user information. And... it's quite bad
> having any token at login! :) Do you use ssh or a direct login?
This is one of the reasons why we still use NIS. Haven't gotten LDAP to
work everywhere yet.
I ssh in right now. I have a version of openssh 3.8 that I compiled
against MIT Kerberos myself. The version that IBM distributes from
their website has Kerberos support, but I wanted to support MIT Kerberos
1.3 so that I could get RC4-HMAC enc_type support, as I'm pretty sure
the IBM Kerberos doesn't support it yet.
>> There was a recent post about afs_dynamic_kerbauth working in 1.3.80
>> I still run 1.2.13 on my AIX machines. Can someone confirm that it
>> indeed work against a Kereberos 5 KDC? afs_dynamic_kerbauth does NOT
>> appear to work against a Kerberos 5 KDC in the 1.2.13 version,
>> I will re-test if someone believes it does.
> I'd be happy staying with the stable branch... If I'm right
> afs_dynamic_kerbauth works with kerberos 4, not 5... is it so?
That is what I think as well. Kerberos 4 only, which is hopefully
something everyone is moving away from. Although the IBM docs mention
DCE, which doesn't work with Kerberos 4, so its possible that there is
Krb5 support, we just don't know how to use it correctly.
The other option is to write your own AIX Auth Module and use it. I am
considering doing this myself, but it really isn't worth the trouble for
the few machines that we have that run AIX. And newer AIX versions have
PAM support, so this is even less useful.
If someone has contacts at IBM, it might be possible to obtain an
exmaple or the source to IBM;s KRB5 or KRB5A LAM and then modify it to
also obtain AFS tokens in addition to Kerberos tickets. I have no idea
how willing IBM would be to work with someone on doing just that.
Have you tried using pam_afs2 on AIX? Doug emailed this list a few
weeks ago about it: ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
I have an AIX 5.1 system with no PAM support, so it won't work for me,
but you might be able to get it to work. You may be able to use LAM on
AIX 5.2 to have SSH obtain AFS tokens using one of the afs PAMs
available on the net.
I believe I posted this to the AIX newsgroup, but
http://www.feep.net/PAM/AIX/ might be of use to others who haven't seen
I don't have a dev environment setup on a AIX 5.2 machine right now, but
when I get around to it I'll attempt to get PAM and LAM working such
that tokens can be obtained at login.