[OpenAFS] AFS client on AIX: is there hope?

Christopher D. Clausen cclausen@acm.org
Wed, 20 Apr 2005 16:58:21 -0500

From: "Franco "Sensei"" <senseiwa@tin.it>
> Christopher D. Clausen wrote:
> We can compile (at least I hope) aklog from sources, but the problem 
> is
> that I don't see where to attach aklog, which has to be run before a
> session is opened.

Just for the sake of testing it, does 
http://afs.caspur.it/afs/italia/project/ssh/ work for you, getting 
tokens at login?

>> I just downloaded and compiled gssklog on AIX:
>> ftp://achilles.ctd.anl.gov/pub/DEE/
>> Of course, this requires gssklogd running on your AFS servers, but 
>> this
>> was an acceptable alternative for us since we also use gssklog from 
>> our
>> Windows 2003 machines.
> Mmmh... another daemon, another port open. We can give it a try 
> anyway.
> How can you use it on aix? I mean, how do you start gssklog in your
> config files?

Right now I just type in gssklog as the first thing I run after logging 
on.  For instance:
Using username "cclausen".
[cclausen@enzo:~]% gssklog

I have my home directory setup to let all my login scripts run fine even 
if I don't have AFS tokens at login: /afs/acm.uiuc.edu/user/cclausen is 
system:anyuser l and ~/Public is system:anyuser rl.  I have symlinks 
from ~/ to ~/Public for various files to not depend on tokens for my 
scripts to run.  Depending on the shells you use, you might be able to 
fake tokens by running gssklog or aklog directly from /etc/profile or 
whatever global config your shells use or from each user's dotfiles.

> I can't use LDAP to retrieve user information. And... it's quite bad 
> not
> having any token at login! :) Do you use ssh or a direct login?

This is one of the reasons why we still use NIS.  Haven't gotten LDAP to 
work everywhere yet.

I ssh in right now.  I have a version of openssh 3.8 that I compiled 
against MIT Kerberos myself.  The version that IBM distributes from 
their website has Kerberos support, but I wanted to support MIT Kerberos 
1.3 so that I could get RC4-HMAC enc_type support, as I'm pretty sure 
the IBM Kerberos doesn't support it yet.

>> There was a recent post about afs_dynamic_kerbauth working in 1.3.80 
>> but
>> I still run 1.2.13 on my AIX machines.  Can someone confirm that it 
>> does
>> indeed work against a Kereberos 5 KDC?  afs_dynamic_kerbauth does NOT
>> appear to work against a Kerberos 5 KDC in the 1.2.13 version, 
>> although
>> I will re-test if someone believes it does.
> I'd be happy staying with the stable branch... If I'm right
> afs_dynamic_kerbauth works with kerberos 4, not 5... is it so?

That is what I think as well.  Kerberos 4 only, which is hopefully 
something everyone is moving away from.  Although the IBM docs mention 
DCE, which doesn't work with Kerberos 4, so its possible that there is 
Krb5 support, we just don't know how to use it correctly.

The other option is to write your own AIX Auth Module and use it.  I am 
considering doing this myself, but it really isn't worth the trouble for 
the few machines that we have that run AIX.  And newer AIX versions have 
PAM support, so this is even less useful.

If someone has contacts at IBM, it might be possible to obtain an 
exmaple or the source to IBM;s KRB5 or KRB5A LAM and then modify it to 
also obtain AFS tokens in addition to Kerberos tickets.  I have no idea 
how willing IBM would be to work with someone on doing just that.

Have you tried using pam_afs2 on AIX?  Doug emailed this list a few 
weeks ago about it: ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar

I have an AIX 5.1 system with no PAM support, so it won't work for me, 
but you might be able to get it to work.  You may be able to use LAM on 
AIX 5.2 to have SSH obtain AFS tokens using one of the afs PAMs 
available on the net.

I believe I posted this to the AIX newsgroup, but 
http://www.feep.net/PAM/AIX/ might be of use to others who haven't seen 
that post.

I don't have a dev environment setup on a AIX 5.2 machine right now, but 
when I get around to it I'll attempt to get PAM and LAM working such 
that tokens can be obtained at login.