[OpenAFS] OpenAFS and krb5 docs

ph rhole oper slitbit@fastmail.fm
Mon, 10 Oct 2005 13:22:24 +0300

On Sun, 09 Oct 2005 00:06:51 -0700, "Richard Wallace"
<rwallace@thewallacepack.net> said:
> Hello all,
> I'm looking for documentation on how to use MIT-Krb5 with OpenAFS.  The 
> best result I get from Google are references in a post to this mailing 
> list 
> (https://lists.openafs.org/pipermail/openafs-info/2002-March/003872.html) 
> from more than three years ago.  Are these still good references to use 
> with the 1.4rc6 release or are there more updated docs?
> I plan to test and deploy on a Gentoo Linux fileserver with a mix of 
> Linux, Windows and OS X clients.  The Linux and Windows machines are all 
> desktop workstations, but quite a few of the OS X clients are laptops.
> Any pointers would be greatly appreciated!
> Thanks,
> Rich
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
Actually, there IS enough documentation on this specific subject around
(as i can recall).
In any case, this is some info wich might be usefull:
0: Read the basics of Quickstart Guide from openafs.org/documentation
1: OpenAFS uses kaserver (included in openafs's distribution) for
authentication, wich is some form of Kerberos IV.
You will make it use krb5's kdc server.For this, you should do the
i) Don't start the kaserver when configuring the database server machine
(as described in openafs's quickstart & admin guide docs).
ii) Create a principal like "afs/your_realm@your_realm"
iii) ktadd -e des-cbc-crc:v4 /tmp/afs_key afs/your_realm ( remember that
each time you use it, ktadd changes the kvno of the key)
iv) Download and build the 'asetkey' utility.I took the source from the
"openafs-krb5" debian package.Then use it to create a
keytab for afs in the format it wants to find it.( asetkey will try to
put it in /etc/openafs/server/KeyFile by default)
# asetkey add <kvno> /tmp/afs_key afs/your_realm
where <kvno> is what you get from
# k5srvutil -f /tmp/afs_key list

Now, restart the bosserver without the -noauth option.
Get credentials for some user with kinit
Try to run a bos command (something wich requires you've got krb5
credentials), and see if it complains about missing credentials.
if not, you're on your way of adding a user in afs using "pts" and
trying to use aklog to see if it gets any afs tokens for this user.

Kyriakos Mountakis
Technical University of Crete

http://www.fastmail.fm - Access all of your messages and folders
                          wherever you are