[OpenAFS] Re: aklog and openafs 1.3.x
Frode Nilsen
ml@cyberpunks.no
Fri, 29 Apr 2005 20:46:11 +0200
Thanks for all the help; I made my self an rpm for the afs-krb5-2.0
package. And now it works; I can run 'aklog', and get my token.
The only problem I encountered was with the pam_krb5afs module on the
clients (running fc3); it won't give a token when logging in. My solution
to this, was to set '-acl system:anyuser l' on my users home volumes, and
running 'aklog' from '.bash_profile'. I don't like that users can list the
content of other peoples home volumes, but this was the only solution I
could find.
I wonder what solution other people have on this problem?
--
Frode Nilsen
On Sat, 23 Apr 2005 12:23:49 -0400, Christopher Allen Wing wrote:
> Frode:
>
> The pam_krb5 module that comes with Red Hat should be able to obtain
> tokens. Note that it may have some bugs:
>
> - it may not work with dynroot enabled - it may not work when you have
> more than 1 AFS database server
>
>
> At some point I will try to get patches to Red Hat to fix these issues,
> but I believe it will work at least if you disable dynroot. (or if you
> add the name of your cell to the options string in
> /etc/pam.d/system-auth)
>
> If FC3 comes with the 'krbafs-utils' RPM, this includes a program called
> 'afslog' which can obtain tokens as well. afslog is a Kerberos 4
> program, though, so in order to get it to work you need to ensure:
>
> - /etc/krb.conf has the correct information for your realm name -
> Kerberos 4 is enabled on your KDC
> - you have obtained Kerberos 4 tickets before running afslog
> (which is generally the default for kinit)
>
>
> If you look in the source RPM for pam_krb5, you will find another
> program called 'afs5log' which is a version of aklog written by Red Hat.
> If you rebuild the pam_krb5 source RPM, inside the BUILD directory you
> will find an afs5log binary. This should work, and is Kerberos 5 native.
>
>
> Regarding compiling aklog to work with openafs, you will need some
> patches to get it working with openafs 1.3 and MIT krb5-1.3. I got this
> all to compile as part of my OpenAFS RPMs for Red Hat Enterprise Linux
> 4.
>
>
> You can find the patches to afs-krb5 here:
>
> http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/
>
>
> If all you want to do is compile aklog, I believe you should be able to
> do it with the following patches:
>
> http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-64bit.patch
> http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-res_search.patch
> (these two patches are needed to build on x86_64 at least)
>
> http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-com_err.patch
>
> http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-krb524.patch
>
> http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-openafs1.3.patch
>
> http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SOURCES/afs-krb5-2.0-warnings.patch
>
>
> Apply these patches to afs-krb5, and then build as:
>
> cd src
> autoreconf
>
> ./configure --prefix=/usr --with-krb5=/usr/kerberos
> --with-afs=/usr/include
>
> (assuming that you installed the development headers and libraries from
> openafs in /usr/include)
>
>
>
> Alternatively, you could just attempt to rebuild the entire OpenAFS RPM
> under FC3. I would guess that the changes between RHEL4 and FC3 are
> minor enough that it shouldn't be a big deal.
>
> The source RPM is here:
>
> http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.81/SRPMS/openafs-1.3.81-rhel4.0.src.rpm
>
>
> -Chris Wing
> wingc@engin.umich.edu