[OpenAFS] aklog and openafs 1.3.x

Christopher Allen Wing wingc@engin.umich.edu
Sat, 23 Apr 2005 12:23:49 -0400 (EDT) 

Frode:

The pam_krb5 module that comes with Red Hat should be able to obtain
tokens. Note that it may have some bugs:

	- it may not work with dynroot enabled
	- it may not work when you have more than 1 AFS database server


At some point I will try to get patches to Red Hat to fix these issues,
but I believe it will work at least if you disable dynroot. (or if you add
the name of your cell to the options string in /etc/pam.d/system-auth)

If FC3 comes with the 'krbafs-utils' RPM, this includes a program called
'afslog' which can obtain tokens as well. afslog is a Kerberos 4 program,
though, so in order to get it to work you need to ensure:

	- /etc/krb.conf has the correct information for your realm name
	- Kerberos 4 is enabled on your KDC
	- you have obtained Kerberos 4 tickets before running afslog
	  (which is generally the default for kinit)


If you look in the source RPM for pam_krb5, you will find another program
called 'afs5log' which is a version of aklog written by Red Hat. If you
rebuild the pam_krb5 source RPM, inside the BUILD directory you will find
an afs5log binary. This should work, and is Kerberos 5 native.


Regarding compiling aklog to work with openafs, you will need some patches
to get it working with openafs 1.3 and MIT krb5-1.3. I got this all to
compile as part of my OpenAFS RPMs for Red Hat Enterprise Linux 4.


You can find the patches to afs-krb5 here:

	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/


If all you want to do is compile aklog, I believe you should be able to do
it with the following patches:

	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-64bit.patch
	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-res_search.patch
	(these two patches are needed to build on x86_64 at least)

	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-com_err.patch

	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-krb524.patch

	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-openafs1.3.patch

	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-warnings.patch


Apply these patches to afs-krb5, and then build as:

	cd src
	autoreconf

	./configure --prefix=/usr --with-krb5=/usr/kerberos --with-afs=/usr/include

(assuming that you installed the development headers and libraries from
openafs in /usr/include)



Alternatively, you could just attempt to rebuild the entire OpenAFS RPM
under FC3. I would guess that the changes between RHEL4 and FC3 are minor
enough that it shouldn't be a big deal.

The source RPM is here:

	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SRPMS/openafs-1.3.81-rhel4.0.src.rpm


-Chris Wing
wingc@engin.umich.edu