[OpenAFS] fakeka and krb425

Michael Norwick ctx37888@centurytel.net
Tue, 03 May 2005 12:24:42 -0500 

Steve Devine wrote:

>
>
> Michael Norwick wrote:
>
>> Please forgive my ignorance.  I have rtfm'd and googled.  I have 
>> OpenAFS 1.3.81 loaded and working on 2 servers on FC3 using a locally 
>> built system from source (not RPM's).  I also have Kerberos5  
>> krb5-1.4.1 up and working on these same servers, one master, one 
>> slave, also locally built from source.  My clients can klog OR kinit 
>> to any machine on the network and authenticate and access files in 
>> OpenAFS volumes in my local cell.  Until I have authentication 
>> working properly I do not let them venture out into the greater 
>> world.  My questions are as follows:
>> 1.  How do I get one key/token for the client.  When building krb5 I 
>> did not enable V4 authentication heeding MIT's advice to move to krb5.
>
>
> Krb5 builds with k4 compatability by default. You can enable or 
> disable K4 in kdc.conf
>
>> I have made several attempts to build Ken H's 2.0 migration kit to 
>> get aklog and asetkey but so far have failed with well documented 
>> make errors (but little documented solutions).  And looking at the 
>> source for krb5-1.4.1 and OpenAFS-1.3.81, I should be able to use 
>> fakeka to grant tokens to OpenAFS. 
>
>
> Yes Fakeka runs in the place of kaserver. What are your make errors?
>
>>
>> 2.  When I do eventually open up access from my local cell to the 
>> world would it be advisable to have krb425 in order to
>> authenticate against way older servers? 
>
>
>>
>> 3.  In any event what is the proper appdefaults section krb5.conf 
>> notation for a krb5 kdc and OpenAFS 1.3.81?
>> 4.  How do I use fakeka? 
>
>
> Fakeka runs in the place of kaserver:
> /usr/local/sbin/fakeka &
>
>>
>>
>> Any references, links and patience are greatly appreciated.
>>
>> Michael
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>
[michael@blacky src]# ./configure --prefix=/usr 
--with-krb5-config=/usr/src/krb5-1.4.1/src/krb5-config --with-afs=/usr 
--with-krb5-src=/usr/src/krb5-1.4.1/src 
--with-krb5-obj=/usr/src/krb5-1.4.1/src
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking for a BSD-compatible install... /usr/bin/install -c
Adding -I/usr/include to CFLAGS
Adding -L/usr/kerberos/lib -Wl,-rpath -Wl,/usr/kerberos/lib -lkrb5 
-lk5crypto -lkrb5support -lcom_err -lresolv to LIBS
Setting KADM_CFLAGS to -I/usr/include
Setting KADM_LIBS to -L/usr/kerberos/lib -Wl,-rpath 
-Wl,/usr/kerberos/lib -lkadm5srv -lkdb5 -lgssrpc -lgssapi_krb5 -lkrb5 
-lk5crypto -lkrb5support -lcom_err -lresolv
checking for socket... yes
checking for gethostbyname... yes
checking for res_search... yes
checking for getDirPath in /usr/lib/afs/util.a... yes
Setting compilation parameters for AFS 3.5 and later
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for daemon... yes
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for unistd.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for memory.h... (cached) yes
checking paths.h usability... yes
checking paths.h presence... yes
checking for paths.h... yes
checking malloc.h usability... yes
checking malloc.h presence... yes
checking for malloc.h... yes
checking for strerror... yes
checking for an ANSI C-conforming const... yes
checking return type of signal handlers... void
checking for pid_t... yes
configure: creating ./config.status
config.status: creating Makefile

I took out afs2k5db.c from the Makefile  because I really just want 
asetkey and aklog. I get this when compiling:

[michael@blacky src]# make
gcc -g -O2 -I/usr/include -I/usr/include -DPACKAGE_NAME=\"afs-krb5\" 
-DPACKAGE_TARNAME=\"afs-krb5\" -DPACKAGE_VERSION=\"1.4\" 
-DPACKAGE_STRING=\"afs-krb5\ 1.4\" 
-DPACKAGE_BUGREPORT=\"kenh@cmf.nrl.navy.mil\" -DAFS=1 -DAFS_INT32=1 
-DAFS_TRY_FULL_PRINC=1 -DHAVE_DAEMON=1 -DSTDC_HEADERS=1 
-DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 
-DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 
-DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 
-DHAVE_UNISTD_H=1 -DHAVE_STDLIB_H=1 -DHAVE_MEMORY_H=1 -DHAVE_PATHS_H=1 
-DHAVE_MALLOC_H=1 -DHAVE_STRERROR=1 -DRETSIGTYPE=void  
-DALLOW_REGISTER   -c -o asetkey.o asetkey.c
asetkey.c: In function `main':
asetkey.c:80: error: too few arguments to function `afsconf_AddKey'
make: *** [asetkey.o] Error 1

I'm still confused as to whether I really need the migration kit as some 
recent documentation tells me that OpenAFS 1.3.81 supports krb5 and 
vice-versa.  But, I am following other documentation which utilizes 
asetkey and aklog - sigh!  I'm utilizing the Transarc paths because it 
fits better with all the IBM/University/OpenAFS docs and so far have 
done well.  My goal is single sign-on.  If I'm barking up the wrong 
tree, my time would be better spent elsewhere, i.e. enabling Web 
authentication, my users will have to get used to another login prompt 
for a while, at least until I get fed up hearing "Well Windows doesn't 
do that...."

Thanks,

Michael