[OpenAFS] LDAP and Krb5 and OpenAFS - problem?
Thu, 23 Jun 2005 16:57:26 +0400
We found the following concepts realy usefull during installation, setup =
It has much information how to setup
But I never find the fully complete hwoto
We used several ones
- afs-uid =3D ldap-uid=20
It's not a requirment=20
but it's less confusing if unix user names correspponds to afs
- do authenticate only via kerberos (no ldap auth)
This gives single point of control of it
- use SASL gssapi as much as possible instead of direct kerberos support
This will simplify configuration and make an unified environment =
independent of kerb implementation
- we recommend Heimdal kerberos for server and client
Mostly becouse of native afs support, it will simplify kerberos =
integration with PAM and other type of logins such as login, ssh... Etc
For example you will get afs ticket just right after kerberos ticket =
without additional efforts=20
- use Heimdal with kerb5 support only
Althougth Heimdal kdc may emulate kaserver but them you should use krb4 =
It's not really necessary
After afs principal has been specially created without des3-cbc-sha1 and =
exported to afs keyfile there is no need to support kaserver
This will simplify administration and keep environment more secure since =
there is krb4
- use PAM for client using pam_krb5 and pam_openafs_session
- integrate the nss_ldap into client and server systems
- think about kerberizeing all possible user services(not only file =
For example: login, ssh, gdm, ldap, proxy, web, etc...
In other words everything that user might use
Sometines it will require recompilation but don't be afraid of this.
- be prepared openAFS kernel module sometimes is not so stable on linux =
For example: slocate (updatedb)
We see no real problems implementing of such configuration.
It's all in few words...
Just a quick question: I want to setup the new system with ldap for
users/groups/autofs, krb5 for auth and OpenAFS for most of the =
E.G. in daily work the passwords are in Krb5 and only the path of the =
taken from ldap, while all data are on OpenAFS.
Are there any errors to expect? E.G. passwords - while user can change =
passwords on Krb5 the passwords are not changed in ldap - user with 2 =
could login. I think I have to disable passwords via ldap.