[OpenAFS] LDAP and Krb5 and OpenAFS - problem?

Education Center mailbox030403@mail.ru
Thu, 23 Jun 2005 16:57:26 +0400

We found the following concepts realy usefull during installation, setup =
and usage

- Google=20
It has much information how to setup
But I never find the fully complete hwoto
We used several ones

- afs-uid =3D ldap-uid=20
It's not a requirment=20
but it's less confusing if unix user names correspponds to afs

- do authenticate only via kerberos (no ldap auth)
This gives single point of control of it

- use SASL gssapi as much as possible instead of direct kerberos support
This will simplify configuration and make an unified environment =
independent of kerb implementation

- we recommend Heimdal kerberos for server and client
Mostly becouse of native afs support, it will simplify kerberos =
integration with PAM and other type of logins such as login, ssh... Etc
For example you will get afs ticket just right after kerberos ticket =
without additional efforts=20

- use Heimdal with kerb5 support only
Althougth Heimdal kdc may emulate kaserver but them you should use krb4 =
It's not really necessary
After afs principal has been specially created without des3-cbc-sha1 and =
exported to afs keyfile there is no need to support kaserver
This will simplify administration and keep environment more secure since =
there is krb4

- use PAM for client using pam_krb5 and pam_openafs_session

- integrate the nss_ldap into client and server systems

- think about kerberizeing all possible user services(not only file =
For example: login, ssh, gdm, ldap, proxy, web, etc...
In other words everything that user might use
Sometines it will require recompilation but don't be afraid of this.

- be prepared openAFS kernel module sometimes is not so stable on linux =
For example: slocate (updatedb)


We see no real problems implementing of such configuration.

It's all in few words...



Just a quick question: I want to setup the new system with ldap for
users/groups/autofs, krb5 for auth and OpenAFS for most of the =
E.G. in daily work the passwords are in Krb5 and only the path of the =
homedir is
taken from ldap, while all data are on OpenAFS.
Are there any errors to expect? E.G. passwords - while user can change =
passwords on Krb5 the passwords are not changed in ldap  - user with 2 =
could login. I think I have to disable passwords via ldap.
Any more?