Re: [OpenAFS] Administrators with a slash
On Wed, Mar 06, 2019 at 03:28:10PM +0200, Ciprian Dorin Craciun wrote: > On Wed, Mar 6, 2019 at 7:16 AM Benjamin Kaduk wrote: > > To a large extent, getting Kerberos set up is pretty much drop it in and > > switch it on, but there's a lot of flexibility about principal names, > > especially for administrative operations. Getting it integrated with > > OpenAFS is mostly about having the right 'pts createuser's happen to > > register users, and creating the afs/cellname.fqdn principal to go in the > > rxkad.keytab and/or KeyFileExt -- at this point, AFS is just a regular > > kerberized service and doesn't require special treatment on the Kerberos > > side for the service principals. > > Indeed this was my experience also, the Kerberos deployment was quite > trivial (once I've done it); however in seemed (and still seems) that > I've "lost" something along the way because I lack the proper know-how > and expertise with Kerberos. > > > > I don't know of specific documentation for this, no. > > I think that many sites running Kerberos+AFS have some homegrown database > > management system that handles both and keeps them synchronized. > > And this is unfortunate, especially since deploying OpenAFS "seems" a > daunting task for the small cell operator, or one that just wants to > "play" with the technology. I say "seems" because deploying an > OpenAFS server can be done quite quickly with a couple of copy-pastes. Indeed. > Perhaps (if I'll have time) I will prepare a small hands-on tutorial > on deploying OpenAFS on a Linux server. (I know that there already > exists the "Quick Starting UNIX Guide", however it is far from > "quick"...) :) I think there's definitely room for a tutorial as well as the quick-start guide, as some general encouragement for you. > > > > > Of course, rxgk will let us use fancier names for things, so we'll have > > > > to > > > > get used to a whole new world order when that finishes landing... > > > > > > Could you elaborate more on this? > > > > The short form is that we'll be able to use (encoded) GSS principal > > names in the UserList file. It looks like the details haven't made it into > > the UserList.pod documentation yet (unsurprising, since the code to > > authenticate as them isn't in place yet), but the format includes a base64 > > encoded version of the GSS exported name. > > Basically it means one could use something alternative to Kerberos for > authentication? (Something that is GSS-compliant?) It's still going to be Kerberos, but will look more like a native Kerberos 5 setup (the current thing was originally Kerberos 4 and had some Kerberos 5 tacked on as an emergency patch, basically). In particular, it will use non-broken crypto for the actual encryption operations for data on the wire, and have an integrity-only scheme that would actually be useful. -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
I should add we did successfully use Win7 Pro with the same setup. With 10, we made sure to get all to Enterprise instead of Pro. On Wed, Mar 06, 2019 at 05:36:30PM +0100, Dirk Heinrichs wrote: > Am 06.03.19 um 16:59 schrieb Dave Botsch: > > > I'm curious what problems you have run into. We are bouncing Win10 > > against MIT Kerberos just fine, so clearly something is different in > > our attempted setups. > > Can't really remember, too long ago. Is this Home or Pro? > > Bye... > > Dirk > > -- > Dirk Heinrichs > GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 > Sichere Internetkommunikation: http://www.retroshare.org > Privacy Handbuch: https://www.privacy-handbuch.de > > -- David William Botsch Programmer/Analyst @CNFComputing bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
Neither. Enterprise. On Wed, Mar 06, 2019 at 05:36:30PM +0100, Dirk Heinrichs wrote: > Am 06.03.19 um 16:59 schrieb Dave Botsch: > > > I'm curious what problems you have run into. We are bouncing Win10 > > against MIT Kerberos just fine, so clearly something is different in > > our attempted setups. > > Can't really remember, too long ago. Is this Home or Pro? > > Bye... > > Dirk > > -- > Dirk Heinrichs > GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 > Sichere Internetkommunikation: http://www.retroshare.org > Privacy Handbuch: https://www.privacy-handbuch.de > > -- David William Botsch Programmer/Analyst @CNFComputing bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
Am 06.03.19 um 16:59 schrieb Dave Botsch: > I'm curious what problems you have run into. We are bouncing Win10 > against MIT Kerberos just fine, so clearly something is different in > our attempted setups. Can't really remember, too long ago. Is this Home or Pro? Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Administrators with a slash
Hi. I'm curious what problems you have run into. We are bouncing Win10 against MIT Kerberos just fine, so clearly something is different in our attempted setups. Thanks. On Wed, Mar 06, 2019 at 04:51:09PM +0100, Dirk Heinrichs wrote: > Am 06.03.19 um 14:28 schrieb Ciprian Dorin Craciun: > > > Indeed this was my experience also, the Kerberos deployment was quite > > trivial (once I've done it); > > Please note that if you're ever going to add Windows (Professional) > systems to your setup you should use a (Samba-) AD server for Kerberos. > Windows has quite some problems talking to standard Kerberos/LDAP > servers while Linux is fine talking to AD (using either winbindd or sssd). > > Bye... > > Dirk > > -- > Dirk Heinrichs > GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 > Sichere Internetkommunikation: http://www.retroshare.org > Privacy Handbuch: https://www.privacy-handbuch.de > > -- David William Botsch Programmer/Analyst @CNFComputing bot...@cnf.cornell.edu ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
Am 06.03.19 um 14:28 schrieb Ciprian Dorin Craciun: > Indeed this was my experience also, the Kerberos deployment was quite > trivial (once I've done it); Please note that if you're ever going to add Windows (Professional) systems to your setup you should use a (Samba-) AD server for Kerberos. Windows has quite some problems talking to standard Kerberos/LDAP servers while Linux is fine talking to AD (using either winbindd or sssd). Bye... Dirk -- Dirk Heinrichs GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de signature.asc Description: OpenPGP digital signature
Re: [OpenAFS] Administrators with a slash
On Wed, Mar 6, 2019 at 7:16 AM Benjamin Kaduk wrote: > To a large extent, getting Kerberos set up is pretty much drop it in and > switch it on, but there's a lot of flexibility about principal names, > especially for administrative operations. Getting it integrated with > OpenAFS is mostly about having the right 'pts createuser's happen to > register users, and creating the afs/cellname.fqdn principal to go in the > rxkad.keytab and/or KeyFileExt -- at this point, AFS is just a regular > kerberized service and doesn't require special treatment on the Kerberos > side for the service principals. Indeed this was my experience also, the Kerberos deployment was quite trivial (once I've done it); however in seemed (and still seems) that I've "lost" something along the way because I lack the proper know-how and expertise with Kerberos. > I don't know of specific documentation for this, no. > I think that many sites running Kerberos+AFS have some homegrown database > management system that handles both and keeps them synchronized. And this is unfortunate, especially since deploying OpenAFS "seems" a daunting task for the small cell operator, or one that just wants to "play" with the technology. I say "seems" because deploying an OpenAFS server can be done quite quickly with a couple of copy-pastes. Perhaps (if I'll have time) I will prepare a small hands-on tutorial on deploying OpenAFS on a Linux server. (I know that there already exists the "Quick Starting UNIX Guide", however it is far from "quick"...) :) > > > Of course, rxgk will let us use fancier names for things, so we'll have to > > > get used to a whole new world order when that finishes landing... > > > > Could you elaborate more on this? > > The short form is that we'll be able to use (encoded) GSS principal > names in the UserList file. It looks like the details haven't made it into > the UserList.pod documentation yet (unsurprising, since the code to > authenticate as them isn't in place yet), but the format includes a base64 > encoded version of the GSS exported name. Basically it means one could use something alternative to Kerberos for authentication? (Something that is GSS-compliant?) Thanks, Ciprian. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
On Mon, Mar 04, 2019 at 02:14:43PM +0200, Ciprian Dorin Craciun wrote: > On Mon, Mar 4, 2019 at 3:35 AM Benjamin Kaduk wrote: > > > Perhaps the OpenAFS Quick Start UNIX chapters touching the Kerberos > > > integration (http://docs.openafs.org/QuickStartUnix/HDRWQ53.html) > > > should clearly state this issue with principals containing dots and > > > using at the same time instances (i.e. slashes)... > > > > Patches welcome! (XML sources browseable at > > http://git.openafs.org/?p=openafs.git;a=tree;f=doc/xml/QuickStartUnix;h=9e4fbd3f23b81696d98b1fcb68519364fe365d3f;hb=HEAD > > ; preferred submissions are as gerrit changes (docs on that at > > https://wiki.openafs.org/devel/GitDevelopers/) but mailed patches and > > similar are fine. > > > I'll try to provide a patch to the documentation. > > (I am aware that OpenAFS is an open-source, volunteer-based project, > thus I was not "demanding" the update.) :) > > However on the same subject, is there a document describing how one > should configure Kerberos (from MIT) to work flawlessly with OpenAFS? > (I've tried searching for such a document, but found none, and > moreover even "plain" Kerberos deployment tutorials are very > scarce...) I don't know of specific documentation for this, no. I think that many sites running Kerberos+AFS have some homegrown database management system that handles both and keeps them synchronized. (MIT's is called "Moira" and has a paper or two about it from the Project Athena days.) To a large extent, getting Kerberos set up is pretty much drop it in and switch it on, but there's a lot of flexibility about principal names, especially for administrative operations. Getting it integrated with OpenAFS is mostly about having the right 'pts createuser's happen to register users, and creating the afs/cellname.fqdn principal to go in the rxkad.keytab and/or KeyFileExt -- at this point, AFS is just a regular kerberized service and doesn't require special treatment on the Kerberos side for the service principals. (Well, other than it being a "clustered" service where multiple locations share the keytab.) > > > > > Moreover it's still unclear to me if in `pts createuser` I should use > > > the `username.admin` or `username/admin` variants? (It lets me do > > > both, but I think only the former actually works.) Could someone tell > > > me the "correct" syntax for OpenAFS usernames? > > > > You should pts createuser the username.admin variants. > > > I'll try to include this in that patch also. Thanks! > > > > Of course, rxgk will let us use fancier names for things, so we'll have to > > get used to a whole new world order when that finishes landing... > > Could you elaborate more on this? The low-level technical spec would be at/nearby http://afs3-stds.central.org/docs/draft-wilkinson-afs3-rxgk-11.txt which uses the extended names from http://afs3-stds.central.org/docs/draft-brashear-afs3-pts-extended-names-09.txt . The short form is that we'll be able to use (encoded) GSS principal names in the UserList file. It looks like the details haven't made it into the UserList.pod documentation yet (unsurprising, since the code to authenticate as them isn't in place yet), but the format includes a base64 encoded version of the GSS exported name (which itself would include the Kerberos mechanism OID, as alluded to in Section 10.3.2 of the second document). But I probably was not talking about what you were actually asking about; feel free to ask for more clarifications. -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
On Mon, Mar 4, 2019 at 3:35 AM Benjamin Kaduk wrote: > > Perhaps the OpenAFS Quick Start UNIX chapters touching the Kerberos > > integration (http://docs.openafs.org/QuickStartUnix/HDRWQ53.html) > > should clearly state this issue with principals containing dots and > > using at the same time instances (i.e. slashes)... > > Patches welcome! (XML sources browseable at > http://git.openafs.org/?p=openafs.git;a=tree;f=doc/xml/QuickStartUnix;h=9e4fbd3f23b81696d98b1fcb68519364fe365d3f;hb=HEAD > ; preferred submissions are as gerrit changes (docs on that at > https://wiki.openafs.org/devel/GitDevelopers/) but mailed patches and > similar are fine. I'll try to provide a patch to the documentation. (I am aware that OpenAFS is an open-source, volunteer-based project, thus I was not "demanding" the update.) :) However on the same subject, is there a document describing how one should configure Kerberos (from MIT) to work flawlessly with OpenAFS? (I've tried searching for such a document, but found none, and moreover even "plain" Kerberos deployment tutorials are very scarce...) > > Moreover it's still unclear to me if in `pts createuser` I should use > > the `username.admin` or `username/admin` variants? (It lets me do > > both, but I think only the former actually works.) Could someone tell > > me the "correct" syntax for OpenAFS usernames? > > You should pts createuser the username.admin variants. I'll try to include this in that patch also. > Of course, rxgk will let us use fancier names for things, so we'll have to > get used to a whole new world order when that finishes landing... Could you elaborate more on this? Thanks, Ciprian. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
On Sun, Mar 03, 2019 at 11:30:41PM +0200, Ciprian Dorin Craciun wrote: > On Tue, Jan 10, 2012 at 3:20 PM Bobb Crosbie > wrote: > > I now recall reading about the slash -> dot remapping in the docs, but I > > had forgotten about it. > > > > I think perhaps the tools might have done a better job of indicating that > > there was a problem, and what it might be ? > > > > If slashes are remapped to dots, then perhaps ``pts createuser'' should > > issue a warning message if you try to create a user with a slash ? > > As it stands (1.4.12 & 1.6.0), pts happily creates the user with the slash > > and also includes it in the list of entries. > > > Sorry for reviving such an old thread, but I've just wasted about 4 > hours randomly trying things out in order to get OpenAFS (1.8.0) with > Kerberos to actually work... And fortunately (?!) I've managed to > find the solution through this random process; thus I've searched the > mailing lists to see if anyone had the same issue... > > Perhaps the OpenAFS Quick Start UNIX chapters touching the Kerberos > integration (http://docs.openafs.org/QuickStartUnix/HDRWQ53.html) > should clearly state this issue with principals containing dots and > using at the same time instances (i.e. slashes)... Patches welcome! (XML sources browseable at http://git.openafs.org/?p=openafs.git;a=tree;f=doc/xml/QuickStartUnix;h=9e4fbd3f23b81696d98b1fcb68519364fe365d3f;hb=HEAD ; preferred submissions are as gerrit changes (docs on that at https://wiki.openafs.org/devel/GitDevelopers/) but mailed patches and similar are fine. > Moreover as Bobb observed almost 10 years ago, none of the OpenAFS > tools (not even in 1.8.0) give any hint about what is happening, not > in the logs, nor on stderr... > > Moreover it's still unclear to me if in `pts createuser` I should use > the `username.admin` or `username/admin` variants? (It lets me do > both, but I think only the former actually works.) Could someone tell > me the "correct" syntax for OpenAFS usernames? You should pts createuser the username.admin variants. Of course, rxgk will let us use fancier names for things, so we'll have to get used to a whole new world order when that finishes landing... -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
On Tue, Jan 10, 2012 at 3:20 PM Bobb Crosbie wrote: > I now recall reading about the slash -> dot remapping in the docs, but I had > forgotten about it. > > I think perhaps the tools might have done a better job of indicating that > there was a problem, and what it might be ? > > If slashes are remapped to dots, then perhaps ``pts createuser'' should issue > a warning message if you try to create a user with a slash ? > As it stands (1.4.12 & 1.6.0), pts happily creates the user with the slash > and also includes it in the list of entries. Sorry for reviving such an old thread, but I've just wasted about 4 hours randomly trying things out in order to get OpenAFS (1.8.0) with Kerberos to actually work... And fortunately (?!) I've managed to find the solution through this random process; thus I've searched the mailing lists to see if anyone had the same issue... Perhaps the OpenAFS Quick Start UNIX chapters touching the Kerberos integration (http://docs.openafs.org/QuickStartUnix/HDRWQ53.html) should clearly state this issue with principals containing dots and using at the same time instances (i.e. slashes)... Moreover as Bobb observed almost 10 years ago, none of the OpenAFS tools (not even in 1.8.0) give any hint about what is happening, not in the logs, nor on stderr... Moreover it's still unclear to me if in `pts createuser` I should use the `username.admin` or `username/admin` variants? (It lets me do both, but I think only the former actually works.) Could someone tell me the "correct" syntax for OpenAFS usernames? Thanks, Ciprian. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
Thanks Guys, that seems to be issue. I now recall reading about the slash -> dot remapping in the docs, but I had forgotten about it. I think perhaps the tools might have done a better job of indicating that there was a problem, and what it might be ? If slashes are remapped to dots, then perhaps ``pts createuser'' should issue a warning message if you try to create a user with a slash ? As it stands (1.4.12 & 1.6.0), pts happily creates the user with the slash and also includes it in the list of entries. When running aklog, I believe it attempts to get tokens for the default principle otherwise it doesn't get any tokens and/or just gets a token for the anonymous user. It might be nice if aklog indicated that this was happening. Even ``aklog -d'' doesn't really show much, apart from showing that I have been assigned the ID 32766 of the anonymous user. Is it necessary to have the anonymous user in pts ? What's the best way to restrict anonymous access to our cell ? We don't need it. Our data volumes don't have "anyuser" access, but I'm hesitant to remove it from our root volumes Many Thanks again. - bobb
Re: [OpenAFS] Administrators with a slash
On Thu, Jan 05, 2012 at 12:40:32PM +, Bobb Crosbie wrote: > Both principles are in the system:administrators group (this run when > authenticated as bobb.crosbie) Here's your problem. Due to OpenAFS's history, krb5 principals with a slash (such as username/admin@REALM) are converted to their krb4 form, username.admin. By default, the ptserver disallows dotted principals to avoid the confusion of equivocating the krb5 principals user.admin@REALM and user/admin@REALM. If you are absolutely sure there are no such collisions in your realm, you can run your servers with -allow-dotted-principals. For more documentation: http://docs.openafs.org/Reference/8/ptserver.html -- Jonathan Billings College of Engineering - CAEN - Unix and Linux Support ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Administrators with a slash
The problem is likely related to the fact that you're using both dots *AND* slashes. As I recall, the principal example/admin@YOURREALM would automatically map itself to pts user example.admin, so my WAG is that ptserver is trying to map to 'bobb.crosbie/admin' and coming up with 'bobb.crossbie.admin' or somethning like that. Others can certainly speak with more definitive voices than I. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Administrators with a slash
Hey, We are trying to tidy things up with our administrator principles in kerberos and AFS. Rather than having our normal accounts in the AFS system:administrators group, we thought it would be better to use the /admin principles we use in Kerberos. However, we are having some difficulties which seem to be caused by the slashes in the principle names. Both principles are in the system:administrators group (this run when authenticated as bobb.crosbie) bobb@ophelia:~$ pts membership bobb.crosbie Groups bobb.crosbie (id: 5021) is a member of: system:administrators bobb@ophelia:~$ pts membership bobb.crosbie/admin Groups bobb.crosbie/admin (id: 4021) is a member of: system:administrators Both principles are also SUsers: bobb@ophelia:~$ bos listusers -server afs01 bos: running unauthenticated SUsers are: admin bobb.crosbie bobb.crosbie/admin [] Authenticating as bobb.crosbie works fine: bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie; aklog Password for bobb.cros...@cremelabs.com: bobb@ophelia:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: bobb.cros...@cremelabs.com Valid starting ExpiresService principal 01/05/12 12:24:06 01/05/12 20:24:06 krbtgt/ cremelabs@cremelabs.com renew until 01/06/12 12:23:03 01/05/12 12:24:06 01/05/12 20:24:06 afs/cremelabs@cremelabs.com renew until 01/06/12 12:23:03 bobb@ophelia:~$ tokens Tokens held by the Cache Manager: User's (AFS ID 5021) tokens for a...@cremelabs.com [Expires Jan 5 20:24] --End of list-- I can authenticate against kerberos as bobb.crosbie/admin bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie/admin; aklog; klist; tokens Password for bobb.crosbie/ad...@cremelabs.com: bobb@ophelia:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: bobb.crosbie/ad...@cremelabs.com Valid starting ExpiresService principal 01/05/12 12:24:46 01/05/12 20:24:46 krbtgt/ cremelabs@cremelabs.com renew until 01/06/12 12:23:44 01/05/12 12:24:46 01/05/12 20:24:46 afs/cremelabs@cremelabs.com renew until 01/06/12 12:23:44 But I don't seem to get a proper token from AFS - There's no: "(AFS ID 4021)" bit bobb@ophelia:~$ tokens Tokens held by the Cache Manager: Tokens for a...@cremelabs.com [Expires Jan 5 20:24] --End of list-- And bobb.crosbie/admin doesn't have permission to look at group memberships bobb@ophelia:~$ pts membership bobb.crosbie/admin pts: Permission denied ; unable to get membership of bobb.crosbie/admin (id: 4021) Everything seems to work fine if we create another principle in kerberos without the slash (bobbadmin, say), create that user user in pts and add it to the system:administrators group. The slash seems to be the only issue. Any Ideas ? Are users/principles with slashes supported ? Or is it recommended to do things another way ? A number of documents (like this: http://techpubs.spinlocksolutions.com/dklar/afs.html) suggest that slashes are used. Many Thanks, - bobb