[OpenAFS] kinit/aklog auto-authenticate info

Sergio Gelato Sergio.Gelato@astro.su.se
Sat, 2 Jul 2016 14:14:49 +0200

* Shadrach Smith [2016-06-30 17:10:45 +0000]:
> Thanks Ben,
> I'm trying to setup afs and kerberos in a way that when the users log in, they are automatically authenticated to kerberos and afs.
> I've tried different pam settings, and it doesn't seem like it is supposed to be difficult.

Indeed I don't find it difficult. Maybe you could describe what it is that
you've tried and in what ways it failed? Note that most PAM modules can be
made to log their decisions verbosely when passed the "debug" option.

> I do not have any central login servers, just linux clients using /etc/passwd, kerberos and afs

Is the intent that users should authenticate to the clients using their
Kerberos credentials? The usual answer is "yes". If so, you'll need
pam_krb5 or equivalent in your configuration. You'll almost certainly
also want a host/f.q.d.n@REALM service principal for each client, with
the corresponding keys stored in /etc/krb5.keytab; if you don't have this
you may need additional configuration, the details of which depend on the
pam_krb5 implementation (I'm not sure what CentOS 6.7 is using).

If users are to log in using other, non-Kerberos, credentials (e.g.,
ssh public keys) you'll need to either prompt them for their Kerberos
password or set up some other mechanism to get a TGT based on the
authentication they did provide.

> I'll check out k5start
> Cheers,
> Shadrach
> ________________________________
> From: Benjamin Kaduk <kaduk@MIT.EDU>
> Sent: Thursday, June 30, 2016 11:58:42 AM
> To: Shadrach Smith
> Cc: openafs-info@openafs.org
> Subject: Re: [OpenAFS] kinit/aklog auto-authenticate info
> On Wed, 29 Jun 2016, Shadrach Smith wrote:
> > I'm having trouble getting my users to auto authenticate (very necessary
> > for openlava)
> > Is there a good resource for this?  I'm seeing a lot of different information and nothing appears definitive.
> > centos 6.7, openafs 1.6.14-1, pam-afs-session-2.6
> The question is a bit sparse on the actual details of what you want, but
> the first thing I would point you at is Russ Allbery's k5start -- despite
> the name, it can manage AFS tokens as well as kerberos tickets, starting
> from keytab (preferred) or password.
> -Ben