[OpenAFS] OpenAfs+Kerberos+OSXLion+Finder+Two Realms

Derrick Brashear shadow@gmail.com
Thu, 22 Sep 2011 07:41:49 -0400 

On Thu, Sep 22, 2011 at 2:05 AM, Ivan Glushkov
<glushkov.ivan@googlemail.com> wrote:
> Dear Experts,
>
> I have installed OSX 10.7.1 a few weeks ago and I uninstalled my old (Sno=
w
> Leopard) OpenAfs version using the uninstall link from the Snow Leopard
> installer image, and installed the Lion version. My main aim is to have
> access in my Finder.app to two realms, to which I am logged in with the s=
ame
> login but different passwords. With the previous configuration I was usin=
g
> the following configuration:

Kerberos in Lion has some bugs, sadly.

> =3D=3D=3D=3D=3D Setting the environment
> I have a "script" I was executing every 24 hours:
>
> alias pas=3D'kdestroy --all; export KRB5CCNAME=3DFILE:/tmp/krb5cc_cern ; =
kinit
> -V=A0glushkov@CERN.CH; aklog -force -c=A0cern.ch=A0-k CERN.CH; export
> KRB5CCNAME=3DFILE:/tmp/krb5cc_desy ; kinit -V=A0glushkov@DESY.DE; aklog -=
force
> -c=A0desy.de=A0-k DESY.DE'


> ~ > pas
> glushkov@CERN.CH's Password:
> Placing tickets for 'glushkov@CERN.CH' in cache 'FILE:/tmp/krb5cc_cern'
> glushkov@DESY.DE's Password:
> Placing tickets for 'glushkov@DESY.DE' in cache 'FILE:/tmp/krb5cc_desy'
>
>
> =3D=3D=3D=3D=3D Environment
> Now, in a new terminal I have the following:
>
> ~ > klist
> klist: krb5_cc_get_principal: No credentials cache file found
> ~ > tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID ***50) tokens for=A0afs@desy.de=A0[Expires Sep 23 08:18]
> User's (AFS ID ***38) tokens for=A0afs@cern.ch=A0[Expires Sep 23 08:18]
> =A0=A0--End of list--
> ~ >

it's silly to hide these (AFS IDs). they give us nothing anyway.

>
>
> =3D=3D=3D=3D=3D SSH
> for ssh to both realms I have again the corresponding aliases, and it wor=
ks
> like charm:
>
> ~ > alias | grep c403
> alias c403=3D'export KRB5CCNAME=3DFILE:/tmp/krb5cc_cern; ssh
> -vY=A0glushkov@lxplus403.cern.ch'
> ~ > c403
> ...
> [lxplus403] ~ $ exit
>
> ~ > alias | grep cdesy
> alias cdesy=3D'export KRB5CCNAME=3DFILE:/tmp/krb5cc_desy; ssh
> -vY=A0glushkov@bastion.desy.de'
> ~ > cdesy
> OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
> ....
> bastion05:~> exit
> ~ >
>
>
> =3D=3D=3D=3D=3D Finder/Direct Access
> I don't understand the direct access to the files:
>
> ~ > touch /afs/desy.de/user/g/glushkov/testfile
> ~ > touch /afs/cern.ch/user/g/glushkov/testfile
>
> Sometimes (as in the case above) both are working..

you have tokens for both cells. you just got them, with aklog. if it
didn't work, that would be a bug.

>Sometimes
> only=A0desy.de...

what tokens do you have then? get output when only desy works, from tokens.

> But why? Both of them should not be working, since there are
> no kerberos tokens (which is why the ssh requires password):

there are afs tokens, there are no (default) kerberos tickets.

incidentally, as long as you don't unlog, tokens (which on MacOS are
currently per-uid, not per-login session
or any other grouping) are still there until they expire.

regardless, your ticket caches are always irrelevant other than to run
aklog from.

> ~ > klist
> klist: krb5_cc_get_principal: No credentials cache file found
> ~ > tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID ***50) tokens for=A0afs@desy.de=A0[Expires Sep 23 08:18]
> User's (AFS ID ***38) tokens for=A0afs@cern.ch=A0[Expires Sep 23 08:18]
> =A0=A0--End of list--
> ~ > ssh=A0lxplus.cern.ch
> glushkov@lxplus.cern.ch's password:
>
> ~ > ssh=A0bastion.desy.de
> glushkov@bastion.desy.de's password:
>
> ~ >
>
> Questions:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> So where does afs get the credentials from (in this case)?

whichever ticket cache was current when you ran aklog.

> What is the
> default place for that in OSX?

whichever ticket cache you last accessed (which is new to lion)

you can use kswitch -p (principal) to make a different cache current;
or if you know which cache you want to use (API cred caches are
the default if you do not override) you can say e.g.
KRB5CCNAME=3DAPI:(somenumber) aklog ...

> (In Ticket Viewer.app there's no way to
> specify the realm to which one would like to get a ticket.)
> How can I make direct file access working reliably for both realms?

get tokens from both sets of tickets.

> Why there are always 5-6 afsd processes running on my machine?

that's how AFS creates userspace contexts to do work for the kernel,
like DNS lookups

> How cab I
> kill them? (kill -9 does not work)

shut down AFS. AFS up, afsds run. AFS down, no afsds.

> How do I start/stop the afs deamon?

as root, launchctl stop org.openafs.filesystems.afs
opposite to start.

> How do I make the scp using the kerberos authentication? (I guess this is
> not the right forum for that one)

not really. it involves keying sshd and adding the right config settings.

>
>
> Regards,
> Ivan Glushkov
>
>



--=20
Derrick