[OpenAFS] tokens at login (pam_krb5afs module)

Dj Merrill deej@thayer.dartmouth.edu
Tue, 26 Apr 2005 12:08:26 -0400 

Dj Merrill wrote:

> Hi Chris,
>     Will this break my existing and working RHEL 3.4 systems?
> 


	To answer my own query, no, it does not break the
RHEL 3.4 machines.  I basically did:
"asetkey list" to get the highest KVNO listed (in my case, 1).
I then created the afs/econ.duke.edu principal and
modified the kvno:

kadmin.local:  addprinc afs/econ.duke.edu
WARNING: no policy specified for afs/econ.duke.edu@ECON.DUKE.EDU; 
defaulting to no policy
Enter password for principal "afs/econ.duke.edu@ECON.DUKE.EDU":
Re-enter password for principal "afs/econ.duke.edu@ECON.DUKE.EDU":
Principal "afs/econ.duke.edu@ECON.DUKE.EDU" created.
kadmin.local:  modprinc -kvno 1 afs/econ.duke.edu
Principal "afs/econ.duke.edu@ECON.DUKE.EDU" modified.

	Add it to the keytab file:
kadmin.local:  ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 
afs/econ.duke.edu@ECON.DUKE.EDU
Entry for principal afs/econ.duke.edu@ECON.DUKE.EDU with kvno 2, 
encryption type DES cbc mode with CRC-32 added to keytab 
WRFILE:/etc/krb5.keytab.

	Use asetkey to add it to AFS:
./asetkey add 2 /etc/krb5.keytab afs/econ.duke.edu

	Test on RH3.4:
(login via ssh)
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for afs@econ.duke.edu [Expires Apr 27 13:28]
    --End of list--
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_f8uBQi
Default principal: deej@ECON.DUKE.EDU

Valid starting     Expires            Service principal
04/26/05 12:01:58  04/27/05 12:01:58  krbtgt/ECON.DUKE.EDU@ECON.DUKE.EDU
         renew until 04/27/05 12:01:58


Kerberos 4 ticket cache: /tmp/tkt1001_GltNi8
Principal: deej@ECON.DUKE.EDU

   Issued              Expires             Principal
04/26/05 12:01:58  04/27/05 09:16:58  krbtgt.ECON.DUKE.EDU@ECON.DUKE.EDU
04/26/05 12:01:58  04/26/05 23:46:58  afs.econ.duke.edu@ECON.DUKE.EDU

Test on RHEL 4:
(login via ssh)
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for afs@econ.duke.edu [Expires Apr 27 12:04]
    --End of list--
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_OsfvYl
Default principal: deej@ECON.DUKE.EDU

Valid starting     Expires            Service principal
04/26/05 12:02:59  04/27/05 12:04:29  krbtgt/ECON.DUKE.EDU@ECON.DUKE.EDU
         renew until 04/27/05 12:04:29


Kerberos 4 ticket cache: /tmp/tkt1001_lA8gnk
Principal: deej@ECON.DUKE.EDU

   Issued              Expires             Principal
04/26/05 10:38:08  04/27/05 12:04:29  krbtgt.ECON.DUKE.EDU@ECON.DUKE.EDU

	One interesting note is that "klist" under
3.4 gives an entry for "afs.econ.duke.edu@ECON.DUKE.EDU"
whereas for 4 it does not.  However, it seems to work - I can
access files in AFS, etc.

	I think it is working - I'll test more to find out.
Thanks for the pointers!!!!

-Dj

-- 
Dj Merrill
Sportsman 2+2 Builder #7118

"TSA: Totally Screwing Aviation"