[OpenAFS] OpenAFS and krb5 docs

ph rhole oper slitbit@fastmail.fm
Mon, 10 Oct 2005 13:22:24 +0300 

On Sun, 09 Oct 2005 00:06:51 -0700, "Richard Wallace"
<rwallace@thewallacepack.net> said:
> Hello all,
> 
> I'm looking for documentation on how to use MIT-Krb5 with OpenAFS.  The 
> best result I get from Google are references in a post to this mailing 
> list 
> (https://lists.openafs.org/pipermail/openafs-info/2002-March/003872.html) 
> from more than three years ago.  Are these still good references to use 
> with the 1.4rc6 release or are there more updated docs?
> 
> I plan to test and deploy on a Gentoo Linux fileserver with a mix of 
> Linux, Windows and OS X clients.  The Linux and Windows machines are all 
> desktop workstations, but quite a few of the OS X clients are laptops.
> 
> Any pointers would be greatly appreciated!
> 
> Thanks,
> Rich
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
Actually, there IS enough documentation on this specific subject around
(as i can recall).
In any case, this is some info wich might be usefull:
0: Read the basics of Quickstart Guide from openafs.org/documentation
1: OpenAFS uses kaserver (included in openafs's distribution) for
authentication, wich is some form of Kerberos IV.
You will make it use krb5's kdc server.For this, you should do the
following:
i) Don't start the kaserver when configuring the database server machine
(as described in openafs's quickstart & admin guide docs).
ii) Create a principal like "afs/your_realm@your_realm"
iii) ktadd -e des-cbc-crc:v4 /tmp/afs_key afs/your_realm ( remember that
each time you use it, ktadd changes the kvno of the key)
iv) Download and build the 'asetkey' utility.I took the source from the
"openafs-krb5" debian package.Then use it to create a
keytab for afs in the format it wants to find it.( asetkey will try to
put it in /etc/openafs/server/KeyFile by default)
# asetkey add <kvno> /tmp/afs_key afs/your_realm
where <kvno> is what you get from
# k5srvutil -f /tmp/afs_key list

Now, restart the bosserver without the -noauth option.
Get credentials for some user with kinit
Try to run a bos command (something wich requires you've got krb5
credentials), and see if it complains about missing credentials.
if not, you're on your way of adding a user in afs using "pts" and
trying to use aklog to see if it gets any afs tokens for this user.
goodluck

Kyriakos Mountakis
ph@softnet.tuc.gr
Technical University of Crete

-- 
http://www.fastmail.fm - Access all of your messages and folders
                          wherever you are