[OpenAFS] Installing 1.4.0RC4 to use SEAM Krb5

Douglas E. Engert deengert@anl.gov
Mon, 19 Sep 2005 18:09:36 -0500 

Coy Hile wrote:

> On Mon, 19 Sep 2005, Douglas E. Engert wrote:
> 
> 
>>Date: Mon, 19 Sep 2005 15:13:00 -0500
>>From: Douglas E. Engert <deengert@anl.gov>
>>To: Coy Hile <coy.hile@coyhile.ca>
>>Cc: openafs-info@openafs.org
>>Subject: Re: [OpenAFS] Installing 1.4.0RC4 to use SEAM Krb5
>>
>>Also as said, I was using gssklog, that uses a standrd API that does
>>not have these problems.
>>
>>I build from AFS, and $K5BUILD point into our cell where these
>>where at. $SYS is in effect @sys i.e. sysname of sun4x_510
>>
> 
> 
> Let me pose another question.  Let's assume that I have my PAM stack
> setup like you mentioned in your first mail (and end up using gssklog
> to do the krb5 to OpenAFS token stuff).  In itializing  the first machine
> in my cell, what (if any) modifications do I need to make to the
> instructions given here
> 
> http://www.openafs.org/pages/doc/QuickStartUnix/auqbg005.htm#HDRWQ50
> 

The trick here is that all the AFS servers use the /usr/afs/etc/KeyFile.
(check the name of this file.) This contains a DES key and kvno that matches
the afs@REALM and/or afs/cell@REALM principals in the KRB5 realm.  See recent
mail archives on how to set this key.

In effect the token is encrypted in this key, and the AFS servers encrypt
traffic among themseleves using this key from the KeyFile.

> under the sections "Starting the Database server processes",
> "initializing cell security" and "starting the fileserver, Volume
> Server and Salvager" to ensure that my krb5 installation is used
> for authentication and authorization? Unless I am misunderstanding
> setting up the cell security, some non-krb5 password ends up getting
> used for auth.
> 
> Apologies for the innane questions, but parts of this take a while to
> get one's head around the first time.
> 

Having used AFS in congunction with KRB5 for years, it appears obvious,
but to a new ommer, these steps should be documented. (It may already be.
I have not looked.)


-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444