[OpenAFS] Installing 1.4.0RC4 to use SEAM Krb5

Douglas E. Engert deengert@anl.gov
Mon, 19 Sep 2005 12:42:55 -0500


This is a multi-part message in MIME format.
--------------080006010007000107010809
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Coy Hile wrote:
 > Hello,
 >
 > I'm attempting to install 1.4.0RC4 onto my machines and create a local
 > cell for myself to experiment with OpenAFS.  Currently, I have SEAM (
 > Solaris 10 GA) running and working for user authentication.  The
 > installation documents that I found state, "if you're going to use Kerberos
 > rather than AFS authentication and authorization, contact IBM support to
 > see how to change this installation procedure."  What I'd like to know
 > is whether there are documents that tell me (hopefully in baby steps as
 > I am new to Kerberos as well) what I need to do to integrate OpenAFS with
 > my existing SEAM/krb5 install.  Users currently authenticate through the
 > pam_krb5 module that ships with SEAM.
 >
 > Thanks,
 >
 >

The missing piece is getting AFS tokens using the SEAM kerberos. My note from
8/23/05 outlines how I got the OpenAFS aklog to compile and use the SEAM kerberos
library. Other options are it install MIT or Heimdal to be used by aklog
only.

Then there are the PAM issues, of getting a token after the SEAM krb5-pam
gets the ticket. See below on this as well.


-------- Original Message --------
Subject: Re: [OpenAFS] aklog and PAM for Solaris
Date: Tue, 23 Aug 2005 14:47:50 -0500
From: Douglas E. Engert <deengert@anl.gov>
To: OpenAFS-info@openafs.org
References: <787.1124575561@pabst.cs.uwm.edu> <4309E61C.6030105@anl.gov>

In response to my own comment about trying aklog on Solaris 10 with the
built in Kerberos, I was able to get it to run.  Attached are diffs
to the OpenAFS 1.4.0-rc1. Hopefully someone will find these useful, and will
cause others to ask Sun to include the krb5.h in the base distribution.
(See the note to the kerbers@mit.edu asking Sun these same questions.)

To do this required using the krb5/include from http://www.opensolaris.org
to get a krb5.h the MIT krb5-1.4.1 profile.h and com_err.h.

The changes in aklog are:

    o Solaris 10 does not define u_int32_t, but does have a uint32_t

    o Solaris does not have 524, and aklog can be run without it, in
      some situations which includes 99% of our users, so I changed the
      #error to a #define, and #ifdefed out the references to the 524 code.

    o Since the Solaris Kerberos does not have add_error_table, but the
      MIT com_err.h defines one, I commented out the use of add_error_table
      to get it to run.

    o The configure was done using:


KRB5CFLAGS="-I$K5BUILD/$SYS/krb5/include"
KRB5LIBS="/usr/lib/gss/mech_krb5.so -R/usr/lib/gss"
export KRB5CFLAGS
export KRB5LIBS
./configure --enable-transarc-paths \
                          --with-krb5=yes \
              --enable-largefile-fileserver \
                  --host=sparc-sun-solaris2.10

There is another subtle problem in that our AFS servers are not in the
same Kerberos realm as 99% of the users (ANL.GOV) or the cell (anl.gov).
This required the use of the aklog -c and -k options.

So this is looking promising, we will continue to use gssklog that has
no problems with using the Solaris 10 Kerberos via GSSAPI.



Douglas E. Engert wrote:

> 
> 
> John Tang Boyland wrote:
> 
>> I've been able to transition to using Kerberos V with the help
>> of people on this list and Ken's migration kit (thanks!).  I put some
>> notes in the Wiki to fill in some gaps.
>>
>> I notice that openafs-1.3.87 includes aklog (good!) but it seems to be
>> missing a PAM module that can be used with krb5.  The man page
>> pam_afs.5 says one should use pam_krb5 instead of pam_afs but of
>> course, pam_krb5 doesn't get AFS tokens.  Because of the way dtlogin
>> works on Solaris, you need to get tokens before the .profile/.cshrc is
>> sourced.  A PAM module seems to be the right thing.  There are old
>> notes talking about pam_aklog (on Martin Schultz's old AFS-Krb5 web
>> page that is only available in Google caches) including about
>> T. Clancy's pam_aklog with a dead URL.
>>
>> (1) How do other sites handle this?  Is pam_aklog passe ?
> 
> 
> We are uisng the Solaris 10 provided pam_krb5, and Solaris provided
> Kerberos which knows nothing about AFS.
> 
> We have added an additional pam_afs2 that is called after the pam_krb5
> has sorted the tickets and set KRB5CCNAME in the pam_env. pam_afs2 then
> fork/exec of gssklog. It could just as easily fork/exec the aklog from
> 1.3.87 which is on my list of thing to try. Note that pam_afs2 has
> no Kerberos or AFS code, it just passes the pam_env with the KRB5CCNAME
> to tha gssklog or aklog.
> 
> The above works with Solaris 10's version of SSHD, dtlogin, login, xlock
> ad xscreensaver.  With xlock and xscrensver the tickets and tokens are
> refresehed.  See attached pam.conf
> 
> Solaris 10's sshd has some problems with trying to use the default
> ticket cache for a user, so we went back to using session based
> credentials where each session has its own ticket cache pointed
> at by KRB5CCNAME. To force the SSHD to do this, we added a
> pam_krb5_ccache  that calls pam_put_env to preset the KRB5CCNAME
> to be used by the SSHD, thus going back to session based credentials.
> 
> (On Solaris 9 we are are using a version of Frank Cusack's pam_krb5
> and pam_afs2 in some cases.)
> 
>> (2) If not, how can I get it for Solaris ?
>>   (2b) Is there some reason why it isn't integrated with
>>        aklog in the src tree ?  (or in the PAM directory.)
> 
> 
> I believe that the pam_krb5 and pam_afs* should not be integrated,
> on any system, as (I have said in the past.) Having them seperate allows
> one to use the vendor's pam_krb5.
> 
>> (3) Can we get some documentation/help from this from Openafs.org ?
>>    There are many places that ancourage one to use krb5 instead
>>    of AFS kaserver, but one's left scrounging around in unofficial    
>> RPM's off random websites to get something to work with Solaris.
> 
> 
> If anyone is interested, Here is one of those random sites:
> 
> ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
> ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.3.tar
> ftp://achilles.ctd.anl.gov/pup/DEE/pam_krb5_ccache-0.1.tar
> ftp://achllles.ctd.anl.gov/pub/DEE/gssklog-0.11.tar
> 
> 
> 
>>    Thanks!
>> John
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>>
> 
> 
> ------------------------------------------------------------------------
> 
> #
> #ident	"@(#)pam.conf	1.28	04/04/21 SMI"
> #
> # Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login	auth requisite		pam_authtok_get.so.1
> login	auth required		pam_dhkeys.so.1
> login	auth required		pam_unix_cred.so.1
> login	auth required		pam_unix_auth.so.1
> login	auth required		pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin	auth requisite		pam_authtok_get.so.1
> rlogin	auth required		pam_dhkeys.so.1
> rlogin	auth required		pam_unix_cred.so.1
> rlogin	auth required		pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> krlogin	auth required		pam_unix_cred.so.1
> krlogin	auth binding		pam_krb5.so.1
> krlogin auth required          /krb5/lib/pam_afs2.so.1 
> krlogin	auth required		pam_unix_auth.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> rsh	auth required		pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> krsh	auth required		pam_unix_cred.so.1
> krsh	auth required		pam_krb5.so.1 
> krsh    auth required		/krb5/lib/pam_afs2.so.1  
> #krsh	auth required		pam_unix_auth.so.1
> 
> #
> # Kerberized telnet service
> #
> ktelnet	auth required		pam_unix_cred.so.1
> ktelnet	auth binding		pam_krb5.so.1
> #DEE leave unmodified till the pam.conf and pam_afs2 are stable
> #DEE leaves us a way on to machine
> # But this allows password login
> ktelnet	auth required		pam_unix_auth.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> ppp	auth requisite		pam_authtok_get.so.1
> ppp	auth required		pam_dhkeys.so.1
> ppp	auth required		pam_unix_cred.so.1
> ppp	auth required		pam_unix_auth.so.1
> ppp	auth required		pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other	auth requisite		pam_authtok_get.so.1
> other	auth required		pam_dhkeys.so.1
> other	auth required		pam_unix_cred.so.1
> other	auth required		pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd	auth required		pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron	account required	pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other	account requisite	pam_roles.so.1
> other	account required	pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other	session required	pam_unix_session.so.1
> #
> # Default definition for  Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other	password required	pam_dhkeys.so.1
> other	password requisite	pam_authtok_get.so.1
> other	password requisite	pam_authtok_check.so.1
> other	password required	pam_authtok_store.so.1
> #
> # Support for Kerberos V5 authentication and example configurations can
> # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
> #
> 
> # DEE from pam_krb5_man pages: 
> 
> #DEE smartcard failed, so skip it for now
> #dtlogin	auth requisite		pam_smartcard.so.1
> dtlogin		auth requisite		pam_authtok_get.so.1
> dtlogin		auth required		pam_dhkeys.so.1
> dtlogin		auth required		pam_unix_cred.so.1
> dtlogin		auth optional		pam_krb5.so.1 
> dtlogin		auth required		/krb5/lib/pam_afs2.so.1   
> # allows password login 
> dtlogin		auth optional		pam_unix_auth.so.1
> 
> #
> # dtsession - lock/unlock screen, refresh creds and AFS token
> #
> dtsession	auth requisite		pam_authtok_get.so.1
> dtsession	auth required		pam_dhkeys.so.1
> dtsession	auth optional		pam_krb5.so.1    
> dtsession	auth required		/krb5/lib/pam_afs2.so.1 nopag
> # allows unlock with local password
> dtsession	auth optional		pam_unix_auth.so.1
> 
> #
> # xlock 
> #
> xlock   auth requisite		pam_authtok_get.so.1
> xlock   auth required		pam_dhkeys.so.1
> xlock   auth optional		pam_krb5.so.1  
> xlock   auth required		/krb5/lib/pam_afs2.so.1  nopag
> # allows unlock with local password
> xlock   auth optional		pam_unix_auth.so.1
> 
> #
> # xscreensaver used by gnome or CDE
> #
> xscreensaver    auth requisite		pam_authtok_get.so.1
> xscreensaver    auth required		pam_dhkeys.so.1
> xscreensaver    auth optional		pam_krb5.so.1  
> xscreensaver    auth required		/krb5/lib/pam_afs2.so.1  nopag
> # allows unlock with local password
> xscreensaver    auth optional		pam_unix_auth.so.1
> #
> 
> #
> # sshd - keyboard interactive uses all PAM exits, but
> #        PAM session is called when GSSAPI delegation or
> #        Kerberos password used, so get AFS token in all three cases.
> #        We want a session type cache, so with ANL PAM
> #        pass in ccache= to account routine
> #        RedHat PAM uses session caches already
> #
> sshd-kbdint	auth requisite		pam_authtok_get.so.1
> sshd-kbdint	auth required		pam_dhkeys.so.1
> sshd-kbdint	auth required		pam_krb5.so.1  
> # allows login with local password
> sshd-kbdint	auth optional		pam_unix_auth.so.1
> 
> sshd-kdbint account requisite   pam_roles.so.1
> sshd-kdbint	account required    pam_unix_account.so.1
> sshd-kdbint	account required    /krb5/lib/pam_krb5_ccache.so.1  ccache=/tmp/krb5cc_pw_%u_%p 
> 
> sshd-kdbint   session required	pam_unix_session.so.1
> sshd-kdbint   session required	/krb5/lib/pam_afs2.so.1 
> 
> # Used by GSS, but ssh has bug about saving creds, so we use session based creds. 
> 
> sshd-gssapi   account requisite  pam_roles.so.1
> sshd-gssapi   account required   pam_unix_account.so.1
> sshd-gssapi	  account required   /krb5/lib/pam_krb5_ccache.so.1  ccache=/tmp/krb5cc_%u_%p
> 
> sshd-gssapi   session required	pam_unix_session.so.1
> sshd-gssapi   session required	/krb5/lib/pam_afs2.so.1 
> sshd-gssapi	  session required  /krb5/lib/pam_krb5_ccache.so.1  clean

-- 

   Douglas E. Engert  <DEEngert@anl.gov>
   Argonne National Laboratory
   9700 South Cass Avenue
   Argonne, Illinois  60439
   (630) 252-5444


-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

--------------080006010007000107010809
Content-Type: text/plain;
 name="aklog.1.4.0-rc1.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="aklog.1.4.0-rc1.diff"

--- ./,aklog.h	Mon Jul 11 14:07:00 2005
+++ ./aklog.h	Tue Aug 23 10:50:24 2005
@@ -51,6 +51,10 @@
 #define INST_SZ 40
 #endif /* INST_SZ */
 
+#ifndef u_int32_t
+#define u_int32_t uint32_t
+#endif
+
 struct ktext {
     unsigned int length;
     unsigned char dat[MAX_KTXT_LEN];
--- ./,aklog_main.c	Mon Jul 18 21:51:53 2005
+++ ./aklog_main.c	Tue Aug 23 12:44:36 2005
@@ -201,7 +201,7 @@
 #if !defined(HAVE_KRB5_524_CONVERT_CREDS) && defined(HAVE_KRB524_CONVERT_CREDS_KDC)
 #define krb5_524_convert_creds krb524_convert_creds_kdc
 #elif !defined(HAVE_KRB5_524_CONVERT_CREDS) && !defined(HAVE_KRB524_CONVERT_CREDS_KDC)
-#error "You must have one of krb5_524_convert_creds or krb524_convert_creds_kdc available"
+#define HAVE_NO_KRB5_524
 #endif
 
 #endif /* WINDOWS */
@@ -631,6 +631,7 @@
 		   get_cred_keylen(v5cred));
 	    atoken.ticketLen = v5cred->ticket.length;
 	    memcpy(atoken.ticket, v5cred->ticket.data, atoken.ticketLen);
+#ifndef HAVE_NO_KRB5_524
 	} else {
     	    CREDENTIALS cred;
 
@@ -665,6 +666,7 @@
 	    memcpy(&atoken.sessionKey, cred.session, 8);
 	    atoken.ticketLen = cred.ticket_st.length;
 	    memcpy(atoken.ticket, cred.ticket_st.dat, atoken.ticketLen);
+#endif /* HAVE_NO_KRB5_524 */
 	}
 	
 	if (!force &&
@@ -1187,7 +1189,11 @@
 	    "[-d] [[-cell | -c] cell [-k krb_realm]] ",
 	    "[[-p | -path] pathname]\n",
 	    "    [-zsubs] [-hosts] [-noauth] [-noprdb] [-force] [-setpag] \n"
-	    "    [-linked] [-524]\n");
+	    "    [-linked]"
+#ifndef HAVE_NO_KRB5_524
+		" [-524]"
+#endif
+		"\n");
     fprintf(stderr, "    -d gives debugging information.\n");
     fprintf(stderr, "    krb_realm is the kerberos realm of a cell.\n");
     fprintf(stderr, "    pathname is the name of a directory to which ");
@@ -1199,7 +1205,9 @@
     fprintf(stderr, "    -force means replace identical tickets. \n");
     fprintf(stderr, "    -linked means if AFS node is linked, try both. \n");
     fprintf(stderr, "    -setpag set the AFS process authentication group.\n");
+#ifndef HAVE_NO_KRB5_524
     fprintf(stderr, "    -524 means use the 524 converter instead of V5 directly\n");
+#endif
     fprintf(stderr, "    No commandline arguments means ");
     fprintf(stderr, "authenticate to the local cell.\n");
     fprintf(stderr, "\n");
@@ -1272,8 +1280,10 @@
 		linked++;
 	else if (strcmp(argv[i], "-force") == 0)
 	    force++;
+#ifndef HAVE_NO_KRB5_524
 	else if (strcmp(argv[i], "-524") == 0)
 	    do524++;
+#endif
     else if (strcmp(argv[i], "-setpag") == 0)
 	    afssetpag++;
 	else if (((strcmp(argv[i], "-cell") == 0) ||
@@ -1527,13 +1537,13 @@
 #undef error_table
 
 #ifndef HAVE_ADD_ERROR_TABLE
-void add_error_table (const struct error_table *);
+long add_error_table (const struct error_table *);
 #endif /* !HAVE_ADD_ERROR_TABLE */
 
 void
 add_to_error_table(struct et_list *new_table)
 {
-	add_error_table((struct error_table *) new_table->table);
+//	add_error_table((struct error_table *) new_table->table);
 }
 #endif /* HAVE_ADD_TO_ERROR_TABLE */
 


--------------080006010007000107010809--