[OpenAFS] Re: aklog and openafs 1.3.x

Dj Merrill deej@thayer.dartmouth.edu
Fri, 29 Apr 2005 15:00:46 -0400 

Frode Nilsen wrote:

> The only problem I encountered was with the pam_krb5afs module on the
> clients (running fc3); it won't give a token when logging in. My solution
> to this, was to set '-acl system:anyuser l' on my users home volumes, and
> running 'aklog' from '.bash_profile'. I don't like that users can list the
> content of other peoples home volumes, but this was the only solution I
> could find.
> 
> I wonder what solution other people have on this problem?


Hi Frode,
	Three days ago I posted the following that solved this for me
under RHEL 4.  You should be able to look at the archives for
the complete thread on the topic.

----------
     To answer my own query, no, it does not break the
RHEL 3.4 machines.  I basically did:
"asetkey list" to get the highest KVNO listed (in my case, 1).
I then created the afs/econ.duke.edu principal and
modified the kvno:

kadmin.local:  addprinc afs/econ.duke.edu
WARNING: no policy specified for afs/econ.duke.edu@ECON.DUKE.EDU; 
defaulting to no policy
Enter password for principal "afs/econ.duke.edu@ECON.DUKE.EDU":
Re-enter password for principal "afs/econ.duke.edu@ECON.DUKE.EDU":
Principal "afs/econ.duke.edu@ECON.DUKE.EDU" created.
kadmin.local:  modprinc -kvno 1 afs/econ.duke.edu
Principal "afs/econ.duke.edu@ECON.DUKE.EDU" modified.

     Add it to the keytab file:
kadmin.local:  ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 
afs/econ.duke.edu@ECON.DUKE.EDU
Entry for principal afs/econ.duke.edu@ECON.DUKE.EDU with kvno 2, 
encryption type DES cbc mode with CRC-32 added to keytab 
WRFILE:/etc/krb5.keytab.

     Use asetkey to add it to AFS:
./asetkey add 2 /etc/krb5.keytab afs/econ.duke.edu

     Test on RH3.4:
(login via ssh)
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for afs@econ.duke.edu [Expires Apr 27 13:28]
    --End of list--
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_f8uBQi
Default principal: deej@ECON.DUKE.EDU

Valid starting     Expires            Service principal
04/26/05 12:01:58  04/27/05 12:01:58  krbtgt/ECON.DUKE.EDU@ECON.DUKE.EDU
         renew until 04/27/05 12:01:58


Kerberos 4 ticket cache: /tmp/tkt1001_GltNi8
Principal: deej@ECON.DUKE.EDU

   Issued              Expires             Principal
04/26/05 12:01:58  04/27/05 09:16:58  krbtgt.ECON.DUKE.EDU@ECON.DUKE.EDU
04/26/05 12:01:58  04/26/05 23:46:58  afs.econ.duke.edu@ECON.DUKE.EDU

Test on RHEL 4:
(login via ssh)
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for afs@econ.duke.edu [Expires Apr 27 12:04]
    --End of list--
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_OsfvYl
Default principal: deej@ECON.DUKE.EDU

Valid starting     Expires            Service principal
04/26/05 12:02:59  04/27/05 12:04:29  krbtgt/ECON.DUKE.EDU@ECON.DUKE.EDU
         renew until 04/27/05 12:04:29


Kerberos 4 ticket cache: /tmp/tkt1001_lA8gnk
Principal: deej@ECON.DUKE.EDU

   Issued              Expires             Principal
04/26/05 10:38:08  04/27/05 12:04:29  krbtgt.ECON.DUKE.EDU@ECON.DUKE.EDU
---------

-- 
Dj Merrill
Sportsman 2+2 Builder #7118

"TSA: Totally Screwing Aviation"