[OpenAFS] Changes for Mosaic's AFS cell...

Christopher Allen Wing wingc@engin.umich.edu
Thu, 6 Apr 2006 12:11:57 -0400 (EDT)


> 2.  I'm curious as to why no one responded to the problem with xlock and
> xscreensavers relating to PAM, K5 tickets, and tokens.  Is this some kind
> of state secret, or are we the only ones with the problem?  To summarize
> again...
>       On Linux the xscreensaver runs as the user but appears to be started
> by init.  When the screen is locked, then unlocked, the PAM module
> generates a new Kerberos 5 ticket, but doesn't use the correct ticket
> cache.  It seems to always create a new ticket cache.

This is entirely dependent on which "Linux" you are using.  Various linux 
distributions include different PAM modules, and different versions of 
xscreensaver as well.

xscreensaver is not started by init, it just has no parent process.  This 
is because the GUI environments used on Linux (GNOME, KDE, etc.) generally 
don't have a single process that looks after everything.  When 
xscreensaver starts up it forks and runs in the background, which is why 
it shows up with a parent process ID of 1 (init).

All I can say is that in my experience, the PAM module which is developed 
by Red Hat (which they call pam_krb5) works properly and does the right 
thing with xscreensaver.  When you unlock the screen, it does the 
equivalent of a 'kinit', replacing the existing ticket cache (from 
$KRB5CCNAME) with a fresh ticket, and obtains new tokens.  RHEL4 seems to 
work properly, and I assume that recent versions of Fedora should also 

If you are using a recent Red Hat distribution and pam_krb5 doesn't work, 
then something must be broken and I can probably help you debug it.  If 
you are using an old (obsolete) distribution, then your PAM module might 
be bad.

If you are using a non-Red Hat distribution, you could try compiling the 
pam_krb5 code (which you can download from the Fedora site, etc.) and it 
should work.

> 4.  I gather from the responses that we need a "special" AKLOG to remove
> the need for the 5 to 4 daemon in a pure K5 environment.  I'm unsure what
> is meant here by "special".  I mean the OpenAFS Windows client ships with
> AKLOG.  Is it special?  Is the Linux version "special"?

The aklog which comes with the 'afs-krb5 migration kit' only supports 
using the krb524 service.  In the past, Derek Atkins's OpenAFS RPMs (e.g, 
the 1.2.x RPMs on the openafs.org web site) included a version of this 
aklog.  So if you are using those (older) packages on Linux, or if you 
compiled aklog yourself from the afs-krb5 kit then you would be using the 
524 service.

As of OpenAFS 1.4.x, the openafs source code includes its own version of 
aklog, which does not require the 524 service (however, it can optionally 
make use of it with a command line flag).  The 1.4.0 RPMs that you can 
download from openafs.org do not use this aklog, they use the older one 
from the afs-krb4 kit; however, when the 1.4.1 RPM comes out, it will use 
the built-in aklog which does not require krb524.

So the short answer is, if you build OpenAFS 1.4.x yourself from source, 
and if you properly configure so that the included aklog is built, then 
you will have an aklog which does not require krb524 to function.  Or, if 
you wait until the official 1.4.1 release (or if you use the most recent 
1.4.1rc prerelease RPMs), then the RPMs from openafs.org should include a 
precompiled binary of this aklog.

The way to tell which aklog you have is to run it with the '-help' option:

 	% aklog -help

 	Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]] [[-p | -path] pathname]
 	    [-zsubs] [-hosts] [-noauth] [-noprdb] [-force] [-setpag]
 	    [-linked] [-524]
 	-524 means use the 524 converter instead of V5 directly

If you see '-524' listed as one of the options, that means that you have 
the new aklog that does not use the 524 service by default.  (you need to 
run it with the -524 flag to force it to use 524)

On the other hand, an 'old' aklog looks like this:

 	% aklog -help

 	Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]] [[-p | -path] pathname]
 	    [-zsubs] [-hosts] [-noauth] [-noprdb] [-force] [-setpag] [-linked]

I am not familiar with the Windows and Mac packages, so I don't know what 
type of 'aklog' program is included or how it behaves.  (sorry, I'm too 
busy to browse the openafs source right now and figure this out, but if 
you take a look, the Windows aklog is in its own directory apart from the 
one used on Unix)

>       a.  We need a special AKLOG.  Ok, is there one for
> Windows?  Linux?  Solaris?, OSX?, etc?

For Unix, if you build using OpenAFS 1.4.x from source, then the included 
aklog does not require krb524, and indeed, it does not use it by default. 
Note that when compiling, you generally need to tell it the location of 
your kerberos libraries and include files via a configure option.

I don't know which aklog is included with the 1.4.x packages for Solaris 
or OS X- someone else can fill you in, or else you can just download the 
binaries and take a look for yourself.

>       b.  Do all the PAMs for various OSs support this "special"
> feature?  Or do the PAMs just system out to an existing AKLOG?

There are many different PAM modules out there and they all behave 
differently.  The OpenAFS source code does not include a Kerberos 5 PAM 

The Red Hat developed PAM module, which they call pam_krb5, does support 
getting AFS tokens without the krb524 service (provided you are using a 
recent version; old, obsolete distributions will have an older pam_krb5 
module that can't do this).

It's also possible to write a 'universal' PAM module that does nothing but 
fork off an aklog process.

-Chris Wing