Re: [OpenAFS] SuSE 9.2: anyone?

[Sensei]

Ken Aaker wrote:
On the SuSE 9.2 systems (about 5) [...]
I've found the right kernel module, and now I'm facing some problems in 
making suse authenticate over out KDCs and use the afs namespace for 
home directories.

First, the AFS client seems to support only *one* ip address. I entered 
just one and ok, it seems that the cell is working anyway --- is it 
enough the CellSrvDB? I don't know anymore!

===[/etc/sysconfig/afs-client]===
THIS_CELL_SERVER="ip.address"
THIS_CELL_SERVER_NAME="cell.name"
Now, the problem is Kerberos5 and LDAP. We have MIT K5 along with 
OpenLDAP just for uid/gid and home dirs both on debian stable (we have 
other infos of course, but none of them are important from this point of 
view). LDAP has *NO* base dn. We have gentoo, debian, knoppix and redhat 
clients all working, but no luck with suse!

I can kinit and I gain the right token. The authentication from pam and 
nss_ldap are NOT working. Anyway, I don't see anything bad in my 
configuration:

===[/etc/openldap/ldap.conf]===
base
host    dir.cell.name slave.cell.name
nss_base_passwd
nss_base_shadow
nss_base_group
===[/etc/nsswitch.conf]===
passwd: files ldap
group:  files ldap
shadow: files ldap
hosts:  files dns
networks:       files dns
services:       db files
protocols:      db files
rpc:    db files
ethers: db files
netmasks:       files
netgroup:       files
publickey:      files
bootparams:     files
automount:      files
aliases:        files
===[/etc/pam.d/login]===
auth     requisite      pam_unix2.so            nullok #set_secrpc
auth     required       pam_krb5afs.so          use_first_pass nodelay
auth     required       pam_securetty.so
auth     required       pam_nologin.so
#auth    required       pam_homecheck.so
auth     required       pam_env.so
auth     required       pam_mail.so
account  required       pam_unix2.so
password required       pam_pwcheck.so          nullok
password required       pam_unix2.so            nullok use_first_pass
                                                use_authtok
password required       pam_krb5afs.so
session  required       pam_unix2.so            none # debug or trace
session  required       pam_limits.so
session  required       pam_resmgr.so
===[/etc/sysconfig/ldap]===
BASE_CONFIG_DN=""
BIND_DN=""
===[/etc/krb5.conf]===
[libdefaults]
        clockskew = 300
        default_realm = CELL.NAME
[realms]
CELL.NAME = {
        kdc = krb.cell.name
        kdc = slave.cell.name
        default_domain = cell.name
        kpasswd_server = krb.cell.name
}
[domain_realm]
        .cell.name = CELL.NAME
        cell.name = CELL.NAME
[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        debug = false
        afs_cells = cell.name
}
I get this in /var/log/messages:
Dec 27 16:25:20 plm02 -- MARK --
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: unable to determine
                                    uid/gid for user
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: authentication fails
                                    for `username'
Dec 27 16:41:43 plm02 login[15375]: pam_krb5afs: pam_sm_authenticate
                                    returning 10 (User not known to the
                                    underlying authentication module)
Dec 27 16:41:50 plm02 login[15375]: FAILED LOGIN 1 FROM /dev/tty1 FOR
                                    UNKNOWN, User not known to the
                                    underlying authentication module
Dec 27 16:41:54 plm02 modprobe: FATAL: Could not load
                                /lib/modules/2.6.8-24-default/
                                modules.dep: No such file or directory
Anyway... I can use kerberos, afs but NOT ldap with nsswitch. LDAP is 
working CORRECTLY under GSSAPI!

plm02:/var/log # klist
klist: No ticket file: /tmp/krb5cc_0
plm02:/var/log # tokens
Tokens held by the Cache Manager:
   --End of list--
plm02:/var/log # kinit username
[EMAIL PROTECTED]'s Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
plm02:/var/log # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: [EMAIL PROTECTED]
  Issued           Expires          Principal
Dec 27 16:44:36  Dec 28 02:44:36  krbtgt/[EMAIL PROTECTED]
Dec 27 16:44:36  Dec 28 02:44:36  afs/[EMAIL PROTECTED]
plm02:/var/log # tokens
Tokens held by the Cache Manager:
Tokens for [EMAIL PROTECTED] [Expires Dec 28 02:44]
   --End of list--
I can use AFS after all:
plm02:/var/log # cd /afs/cell.name/usr/u/username/private/
plm02:/afs/cell.name/usr/u/username/private/ # touch a
plm02:/afs/cell.name/usr/u/username/private/ # rm a
plm02:/afs/cell.name/usr/u/username/private/ # fs listacl .
Access list for . is
Normal rights:
  system:administrators rlidwka
  username rlidwka
But nsswitch isn't working!
plm02:/afs/cell.name/usr/u/username/private/ # groups username
id: username: No such user
plm02:/afs/cell.name/usr/u/username/private/ # ldapsearch "cn=plm"
SASL/GSSAPI authentication started
SASL username: [EMAIL PROTECTED]
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: cn=plm
# requesting: ALL
#
# plm
dn: cn=plm
objectClass: top
objectClass: posixGroup
cn: plm
gidNumber: 10002
memberUid: username
description: afs plm group
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
You're using SuSE... so... what's going on here? :(
--
Sensei <mailto:[EMAIL PROTECTED]> <pgp:8998A2DB>
       <icqnum:241572242>
       <yahoo!:sensei_sen>
       <msn-id:[EMAIL PROTECTED]>
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info