[OpenAFS] krb5 openafs tokens

[Douglas E. Engert]

Our KDCs have been K5 only for years, and to get an afs token we have
relied on a modified krb524d with a modified aklog called ak5log,
which used K5 and the only K4 part was the ticket returned by
krb524d. This K4 ticket is never saved but only used to pass to
AFS as the token.

We originally modified the krb524d and ak5log to use DCE for the KDC
and to allow us to use the AFS to DFS translator. This actually
required a K5 ticket. So the ak5log could actually use a K5 ticket
without sending it to krb524d to be translated.

We also have gssklog, but it still returns a K4 ticket which is also
not saved, but only used to pass to AFS as the token.

But on a Windows we let Leach get a K5 ticket and use it directly
in most cases. gssklog can be used in the others.

I plan in retiring the ak5log when OpenAFS has a unix version of
aklog that does what ak5log can do today.

Glad you brough up pam_krb5afs...

One of the problems with PAM and pam_krb5afs is that they try and do
do BOTH Kerberos and AFS. We let pam_krb5 do the Kerberos stuff.

I now have a pam_afs2 routine that will get a PAG, then exec aklog,
ak5log, gssklog, afslog or your favorite program for getting
a token, passing it the PAM environment that would just so happen
to have the KRB5CCNAME= set from the pam_krb5.

The intent is to use the vendor's provided pam_krb5 with what
ever Kerberos they provide which may not have AFS built in.
Then let the pam_afs2 call your favorite program to get the
token, using whatever Kerberos it uses. For example you
might use SEAM for login, but the Heimdal afslog to get
the token.

I have this running well on Solaris, using the MIT Kerberos
and our own pam_krb5. Works well from the console and screen
unlocking will refresh the credentials and tokens. Works with
OpenSSH too.  With Solaris 10, hope to use SEAM and their pam_krb5.

On Linux I am trying the RedHat pam_krb5 (without AFS) and use
the pam_afs2 for AFS. It is working with the gnome from the console
so far. Need to work on the pam files to get the screen lock to work.


Derek T. Yarnell wrote:
> Ok, I understand that ever since 1.2.8, openafs understands a new 2b
> format token. So my question is this, I currently have 1.2.13 running on
> RHEL3, with MIT 1.3.6 as the kerberos servers. I currently use the
> pam_krb5afs (or pam_krb5) pam module to authorized via krb5 then
> retrieve afs tokens. 
> 
> --- krb5.conf 
> [pam]
>  forwardable = true
>  krb4_convert = true
>  addressless = true
>  afs_cells = csic.umd.edu
> ---
> 
> Obviously this converts the krb5 ticket to a v4 then it grabs a token:
> 
> derek@squeamish:~> klist
> Ticket cache: FILE:/tmp/krb5cc_2174_1EkqYC
> Default principal: derek@CSIC.UMD.EDU
> 
> Valid starting     Expires            Service principal
> 03/04/05 11:02:32  03/04/05 21:02:03  krbtgt/CSIC.UMD.EDU@CSIC.UMD.EDU
>         renew until 03/04/05 11:02:32
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt2174_sH1AbO
> Principal: derek@CSIC.UMD.EDU
> 
>   Issued              Expires             Principal
> 03/04/05 11:02:32  03/04/05 20:57:32  krbtgt.CSIC.UMD.EDU@CSIC.UMD.EDU
> 03/04/05 11:02:08  03/04/05 21:02:08  afs.csic.umd.edu@CSIC.UMD.EDU
> derek@squeamish:~> tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 2174) tokens for afs@csic.umd.edu [Expires Mar  4 21:02]
>    --End of list--
> 
> Now, my question is this. How do I get it to just grab 2b tokens? Never
> getting a v4 principal or token? How are people doing this? Can it be
> done with the pam_krb5afs module? or something else?
> 
> Thanks
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444