Re: [OpenAFS] AFS client on AIX: is there hope?

2005-04-20 Thread Franco \"Sensei\" 
Christopher D. Clausen wrote:
I'm using Solaris for my servers, two are Solaris 10 running 1.3.80 and 
one is still Solaris 9 running 1.2.13.

I'm using NIS for account information.
NIS, I see.
Which Kerberos are you using?
For KDC, I have debian woody's packages, so MIT.
I compiled and am using MIT Kerberos 1.3.1 or possibly 1.3.6, not sure 
exactly.

I thought someone had previously mentioned a pure Kerberos 5 aklog 
available somewhere, but I haven't yet tried to compile it on AIX nor do 
I remember where it is available from.
We can compile (at least I hope) aklog from sources, but the problem is 
that I don't see where to attach aklog, which has to be run before a 
session is opened.

I just downloaded and compiled gssklog on AIX:
ftp://achilles.ctd.anl.gov/pub/DEE/
Of course, this requires gssklogd running on your AFS servers, but this 
was an acceptable alternative for us since we also use gssklog from our 
Windows 2003 machines.
Mmmh... another daemon, another port open. We can give it a try anyway. 
How can you use it on aix? I mean, how do you start gssklog in your 
config files?

I have an AIX 5.1 and 5.2 machine with AFS and Kerberos working quite 
well.  Only issue is that users do not automatically aquire tokens at 
login.  They simply run gssklog to obtain tokens.  This is acceptable in 
my environment.  You might be able to get a pam_run or similar module to 
run an aklog or gssklog at login on AIX 5.2.  (AIX 5.1 has no real PAM.) 
Is this the only problem you are having?
I can't use LDAP to retrieve user information. And... it's quite bad not 
having any token at login! :) Do you use ssh or a direct login?

There was a recent post about afs_dynamic_kerbauth working in 1.3.80 but 
I still run 1.2.13 on my AIX machines.  Can someone confirm that it does 
indeed work against a Kereberos 5 KDC?  afs_dynamic_kerbauth does NOT 
appear to work against a Kerberos 5 KDC in the 1.2.13 version, although 
I will re-test if someone believes it does.
I'd be happy staying with the stable branch... If I'm right 
afs_dynamic_kerbauth works with kerberos 4, not 5... is it so?

--
Sensei  
The difference between stupidity and genius is that genius has its limits.
   Albert Einstein


signature.asc
Description: OpenPGP digital signature

[OpenAFS] AFS client on AIX: is there hope?

2005-04-20 Thread Franco \"Sensei\" 
Hi, still trying to have my AIX 5.2 get on my cell!
My situation (again). Kerberos KDC, OpenAFS, OpenLDAP on debian stable. 
Kerberos authenticates, LDAP gives home informations along with GID/UID 
(*flat* database: "uid=username, objectClass=top, 
objectClass=posixAccount..."), at last, I convert the ticket in afs 
token and the session begins.

What I've succeeded to do? Kerberos can kinit, ktutil and kadmin. 
OpenAFS mounts my cell correctly, but I can't access to it since I don't 
have the tokens. Perfect.

Now how do I make this work under AIX? How to convert tickets in tokens? 
How to use LDAP for user info? I've contacted aix newsgoups but nothing. 
They use aix just server-side.

Has anyone an AIX machine being a client of afs & kerberos?
--
Sensei  
The difference between stupidity and genius is that genius has its limits.
   Albert Einstein


signature.asc
Description: OpenPGP digital signature

Re: [OpenAFS] Kerberos 5 in OpenAFS

2005-04-20 Thread Franco \"Sensei\" 
[EMAIL PROTECTED] wrote:
OK I understand, but I don't have to worry about users and passwords and user directories. Because this is a testproject. 
What I think i shoot do is get the migration tools: asetkey and aklog.
Create an afs entry in Kerberos and so on ...
But I cant find these migration tools for gentoo.
Is there someone who knows where to find them??
You can grab them from debian's repository and recompile them. Make sure 
you modify the make files, because libraries have changed since woody 
versions.

--
Sensei  
The difference between stupidity and genius is that genius has its limits.
   Albert Einstein


signature.asc
Description: OpenPGP digital signature

Re: [OpenAFS] Problem with pam on debian with 1.3.81 kernel 2.6.11

2005-04-14 Thread Franco \"Sensei\" 
Lars Schimmer wrote:
Ok, after some more looking, I found, I don't have got the 
pam_krb5afs.so pam
module.
Only the pam_krb5 modules and pam_openafs_session.so.

So, where did you got that pam_krb5afs.so modul?
Use debian pam_openafs_session.so, it works: I don't know if it has 
changed, but debian stable didn't provide pam_krb5afs.so like suse does. 
Just use debian pam modile as a session after pam_krb5.so, so that it 
calls aklog and you get your tokens.

--
Sensei  
   
   
   


signature.asc
Description: OpenPGP digital signature

Re: [OpenAFS] afs_pam2 - A simplier approach to AFS integration during login

2005-04-13 Thread Franco \"Sensei\" 
Douglas E. Engert wrote:
As we start to use vendor provided Kerberos, OpenSSH and PAM modules,
AFS integration into the login process becomes more difficult, as
some vendors do not provide OpenAFS. We have no problems with installing
OpenAFS separately, but would like to not have to replace the vendor's
pam_krb5 or sshd modules that combine Kerberos and AFS.
Of course I would go with things as vanilla as possible.
Kerberos and OpenSSH are much more wildly known and accepted
by OS vendors and sysadmins then OpenAFS. Almost all vendors now support
Kerberos and SSH, but there are a lot of vendors that do not support
OpenAFS. And many sysadmins are reluctant to replace the PAM
and SSH to support OpenAFS versions. They may be willing to add
but not replace.
More or less...
I would like to contribute to OpenAFS two source modules, pam_afs2.c
and gafstoken.c.  These can be found today in two separate build
packages:
 ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar
 ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar
Ok.
pam_afs2.c is a PAM routine that can be called after a pam_krb5
routine has been called. All pam_afs2.c requires is that the pam_krb5
routine has stored the credentials and done pam_putenv of the
KRB5CCNAME.
pam_afs2.c will then call the gafstoken routine that will
get a PAG using syscalls, then fork/exec your favorite aklog,
ak5log, gssklog, or afslog to actually get the token.
Basically, you're doing the same thing as   pam_openafs_session.so   in 
debian.

Since pam_afs2.c and gafstoken.c have no AFS or Kerberos code
in them directly (other then the syscalls to get a PAG), this helps
to simplify the integration and avoids Kerberos lib name clashes and
eliminates 32 vs 64 bit version problems and allows for
integration at the pam.conf level.
If pam_afs2.so at session level like pam_openafs_session.so? Where is it 
called?

I have been using these routines on Solaris 9 for almost 6 months
and AFS and Kerberos V5 work will with dtlogin, xscreesaver, xlock
and friends. Unlocking the screen will keep the same PAG, but get
a new Kerberos ticket and AFS token.
That's good.
We have been using the MIT Kerberos on Solaris, but expect to
have a simple conversion to Solaris 10 using the Solaris Kerberos.
I have also done some testing on RedHat using their pam_krb5.o,
rather then the pam_krb5afs.o.
I find better pam_krb5afs.so, but I didn't realize how to get pag before 
enabling the shell (suse linux).

pam_afs2 also work well with OpenSSH pam session support, to get
the PAG and token, with no OpenSSH mods required.
It doesn't work for a SSO though. Am I right?
The two tar files listed above will configure to build the
pam routine and the gafstoken lib. They each have a README
file which goes into more detail. A pam.conf file for Solaris is
also included in the tar file.
I'll give it a chanche, but, did you try something for AIX?
--
Sensei  
   
   
   


signature.asc
Description: OpenPGP digital signature

[OpenAFS] Join kerberosV-based cell on AIX

2005-04-07 Thread Franco \"Sensei\" 
Hi.
Can you point me out how to make my aix 5.2 be client of our afs cell? 
We don't rely on kaserver, we use kerberos 5 (mit kdc) for authentication.

I don't see how to connect the two... on aix we have the standard aix 
kerberos, I think it's mit-based.

--
Sensei  
   
   
   


signature.asc
Description: OpenPGP digital signature

[OpenAFS] AIX 5.2 Setup (k5/afs/ldap)

2005-03-23 Thread Franco \"Sensei\" 
Hi.
I'm quite new to AIX, so please excuse me... probably it's simple...
I've read the redbook about AIX/Linux, but in no way I can figure out
if I'm doing good, and I miss a step... I'm struggling with AIX 5.2...
my knowledge is more on linux, AIX seems to have a different way of
interpreting authentication...
First, I configured Kerberos5 and LDAP. Now I can obtain a ticket from 
our KDCs, and ldap works for quieries... I noticed also that ldap comes 
with no GSSAPI!

Now, I don't know how to continue, since AFS is running without 
kaserver, we have mit kdc and openldap for home directory and uid/gid 
mapping... Then... how can I make AIX join the afs cell as a client?

In simple tasks:
- UID/GID mapping with LDAP entries
- Kerberos Authentication (lsauthent shows K5 and then STD)
- AFS token grabbing (default k5 on aix seems mit-like)
Tell me if my guesses are right:
First, /etc/security/user
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
SYSTEM = "KRB5files OR compat"
*   SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
registry = DCE
umask = 022
expires = 0
logintimes =
pwdwarntime = 0
account_locked = false

Then /usr/lib/security/methods.cfg
AFS:
program = /usr/vice/etc/afs_dynamic_auth
KRB5:
program = /usr/lib/security/KRB5
KRB5files:
options = db=BUILTIN,auth=KRB5
Finally /usr/vice/etc (ThisCell, CellServDB), and LDAP. Everything seems 
to work, but now I need to glue all the pieces... can you tell me if I'm 
doing good?

plmserver:~> ldapsearch "cn=plm"
version: 2
#
# filter: cn=plm
# requesting: ALL
#
# plm
dn: cn=plm
objectClass: top
objectClass: posixGroup
cn: plm
gidNumber: 10002
memberUid: username
description: afs plm group
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
plmserver:~> kinit username
Password for [EMAIL PROTECTED]:
plmserver:~> klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_10831
Default principal:  [EMAIL PROTECTED]
Valid starting ExpiresService principal
03/17/05 20:48:47  03/18/05 06:48:47  krbtgt/[EMAIL PROTECTED]
plmserver:~>
--
Sensei  
   
   
   


signature.asc
Description: OpenPGP digital signature

Re: [OpenAFS] SSH: pag after ticket forwarding

2005-02-25 Thread Franco \"Sensei\" 
John Koyle wrote:
Make sure you are using the pam module.  Here's the 
/etc/security/pam_unix2.conf file on all my suse systems:

auth:   call_modules=krb5afs nullok
account:use_ldap call_modules=krb5afs
password:   call_modules=krb5afs nullok
session:none
This is my pam_unix2.conf:
auth:   call_modules=krb5afs
account:call_modules=krb5afs
password:   call_modules=krb5afs
session:call_modules=krb5afs
I don't use use_ldap in pam_unix2 since I have nsswitch.conf set up for 
password, group and shadow to ``files ldap''.

You may not have LDAP installed on your systems though, so the main 
thing you're after is the krb5afs entries.  I am using the stock OpenSSH 
and OpenAFS on all my SuSE boxes and everything works fine, no patches 
needed.
Don't see the important difference between me and you... in both cases 
we use krb5afs except nullok, which should be ininfluent... I think...

--
Sensei  
   
   
   


signature.asc
Description: OpenPGP digital signature

[OpenAFS] SSH: pag after ticket forwarding

2005-02-24 Thread Franco \"Sensei\" 
Hi.
I'm using openssh 3.9p1 for sso under various distributions: mainly 
debian which ships with openssh 3.4p1, suse and rh (the latter is not so 
important for me now). My environment is openafs (no kaserver), mit 
kerberos 5.

Suse user heimdal, so kinit gets tickets and a token directly.  I can 
ssh without passwords between suse machines but I can't get the 
respective token:

plm02:~> ssh plm05
Last login: Mon Jan  3 17:02:46 2005 from console
Have a lot of fun...
-bash: /afs/cell/usr/u/user/.bash_profile: Permission denied
plm05:~> klist
Credentials cache: FILE:/tmp/krb5cc_J17829
Principal: [EMAIL PROTECTED]
  Issued   Expires  Principal
Feb 24 23:27:01  Feb 25 09:26:50  krbtgt/[EMAIL PROTECTED]
What patch should I apply for solving this problem with afs tokens?
--
Sensei  
   
   
   


signature.asc
Description: OpenPGP digital signature

Re: [OpenAFS] MacOSX with reliable AFS homedirs?

2005-02-04 Thread Franco \"Sensei\" 
Troy Benjegerdes wrote:
Has anyone gotten Krb5, ldap, and AFS homedirs working reliably?
We've had to resort to setting up each individual users with a startup
items script to run aklog.
I've tried the 'kfm_aklog' plugin, but it doesn't seem to work, and none
of the apple login hook stuff seems to work. 

What is the equivalent of a linux PAM line like:
session	libpam-openafs-session.so debug
I have set up macosx for your combination. Install k5 and aklog for osx 
along with openafs for osx (configuring it), make the directory service 
aware of your ldap setting (ldap must use the posixAccount schema, 
remember!), modify edu.mit.Kerberos, and finally modify the 
authorization in /private/etc/authorization --- works perfectly. Google 
for osx kerberos --- you'll find many pages on the topic.

Hope it helped.
--
Sensei  
   
   
   


signature.asc
Description: OpenPGP digital signature