[OpenAFS] AIX 5.2 Setup (k5/afs/ldap)

Franco "Sensei" Sensei <senseiwa@tin.it>
Wed, 23 Mar 2005 15:55:03 -0600 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1C796254F018BDEFA346DE13
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi.

I'm quite new to AIX, so please excuse me... probably it's simple...
I've read the redbook about AIX/Linux, but in no way I can figure out
if I'm doing good, and I miss a step... I'm struggling with AIX 5.2...
my knowledge is more on linux, AIX seems to have a different way of
interpreting authentication...

First, I configured Kerberos5 and LDAP. Now I can obtain a ticket from 
our KDCs, and ldap works for quieries... I noticed also that ldap comes 
with no GSSAPI!

Now, I don't know how to continue, since AFS is running without 
kaserver, we have mit kdc and openldap for home directory and uid/gid 
mapping... Then... how can I make AIX join the afs cell as a client?

In simple tasks:
- UID/GID mapping with LDAP entries
- Kerberos Authentication (lsauthent shows K5 and then STD)
- AFS token grabbing (default k5 on aix seems mit-like)

Tell me if my guesses are right:

First, /etc/security/user

default:
         admin = false
         login = true
         su = true
         daemon = true
         rlogin = true
         sugroups = ALL
         admgroups =
         ttys = ALL
         auth1 = SYSTEM
         auth2 = NONE
         tpath = nosak
         SYSTEM = "KRB5files OR compat"
*       SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
         registry = DCE
         umask = 022
         expires = 0
         logintimes =
         pwdwarntime = 0
         account_locked = false



Then /usr/lib/security/methods.cfg

AFS:
         program = /usr/vice/etc/afs_dynamic_auth

KRB5:
         program = /usr/lib/security/KRB5

KRB5files:
         options = db=BUILTIN,auth=KRB5


Finally /usr/vice/etc (ThisCell, CellServDB), and LDAP. Everything seems 
to work, but now I need to glue all the pieces... can you tell me if I'm 
doing good?

plmserver:~> ldapsearch "cn=plm"
version: 2

#
# filter: cn=plm
# requesting: ALL
#

# plm
dn: cn=plm
objectClass: top
objectClass: posixGroup
cn: plm
gidNumber: 10002
memberUid: username
description: afs plm group

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

plmserver:~> kinit username
Password for username@REALM.REALM:

plmserver:~> klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_10831
Default principal:  username@REALM.REALM

Valid starting     Expires            Service principal
03/17/05 20:48:47  03/18/05 06:48:47  krbtgt/REALM.REALM@REALM.REALM

plmserver:~>


-- 
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
        <icqnum:241572242>
        <yahoo!:sensei_sen>
        <msn-id:sensei_sen@hotmail.com>

--------------enig1C796254F018BDEFA346DE13
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCQeW94LBKhYmYotsRAoktAJ9oiKKz9csJ2rksccaLPiXDNy6LcACeOZvw
5U+zuXPZ398p6MfC85q1nhs=
=69XU
-----END PGP SIGNATURE-----

--------------enig1C796254F018BDEFA346DE13--