[OpenAFS] Re: Samba & aklog

Andrew Deason adeason@sinenomine.net
Wed, 6 Aug 2014 23:29:18 -0500 

On Wed, 06 Aug 2014 11:45:30 -0400
Craig Huckabee <huck@spawar.navy.mil> wrote:

>    A little research turned up a suggestion of doing something like this 
> in the smb.conf for AFS shares:
> 
> ...
> root preexec = /usr/bin/aklog -setpag -cell mycell.mil -keytab 
> /usr/afs/etc/rxkad.keytab -principal %u
> ...

I haven't used a setup like this myself, but I can try to offer some
more information.

Are you getting this specific configuration from somewhere, or adapting
some old instructions to newer openafs? I'm just wondering because, all
of the things I remember talking about this are relatively old (at least
older than rxkad.keytab). Things may have changed since then.

I would expect that the most likely reasons this is behaving oddly is
either because 'aklog -setpag' is not working, or the architecture of
samba may have changed. 'aklog -setpag' support has been a bit shaky,
but it does appear to work on an RHEL6 vm here. It is possible that it
can break on different kernel versions, though, or just problems when
building your binary.

I would first try running 'aklog -setpag' manually to see if it works.
Ideally, I would run it from a session without a pag, and then acquire
tokens with -setpag, and see if you gain a pag:

$ keyctl show | grep pag
$ kinit
[...]
$ aklog -setpag
$ keyctl show | grep pag
932129517 ----s--v      0     0   \_ afs_pag: _pag
$

If that second 'keyctl show' invocation shows an afs_pag entry, you
gained a pag and 'aklog -setpag' appears to be working. If that's not
working, then we can provide some more information on finding out why.

However, even if that is working, I would think that setup would only
work if samba uses separate processes for connections for different
users; I don't know if that's true. You could ask samba for more info
(or maybe someone on this list knows), but you can also debug it by
setting 'root preexec' to some script where you put the output of
'keyctl show', 'tokens', 'aklog -setpag -d [...]', and maybe also a
process list in some log file somewhere. That would help give you a
better picture of what's happening with the pag and credentials and such
when the 'root preexec' is running. (I'd run keyctl/tokens/etc before
and after the actual aklog)

>    This almost works but I think I'm running into either PAG issues or 
> some other weirdness.  Testing the connection it appears that sometimes 
> I get tokens, sometimes I don't.  Not sure if I need to force the smbd 
> into a new PAG on startup.

No, I don't think you should need to have a pag for the parent smbd
process itself. The 'parent' pag shouldn't matter, since credentials for
users should be contained to just that session/connection.

-- 
Andrew Deason
adeason@sinenomine.net