[OpenAFS] AIX 5.2 Setup (k5/afs/ldap)

Wed, 23 Mar 2005 13:57:16 -0800 

Hi.

I'm quite new to AIX, so please excuse me... probably it's simple...
I've read the redbook about AIX/Linux, but in no way I can figure out
if I'm doing good, and I miss a step... I'm struggling with AIX 5.2...
my knowledge is more on linux, AIX seems to have a different way of
interpreting authentication...

First, I configured Kerberos5 and LDAP. Now I can obtain a ticket from our KDCs, and ldap works for quieries... I noticed also that ldap comes with no GSSAPI!

Now, I don't know how to continue, since AFS is running without kaserver, we have mit kdc and openldap for home directory and uid/gid mapping... Then... how can I make AIX join the afs cell as a client?

In simple tasks:
- UID/GID mapping with LDAP entries
- Kerberos Authentication (lsauthent shows K5 and then STD)
- AFS token grabbing (default k5 on aix seems mit-like)

Tell me if my guesses are right:

First, /etc/security/user

default:
        admin = false
        login = true
        su = true
        daemon = true
        rlogin = true
        sugroups = ALL
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        SYSTEM = "KRB5files OR compat"
*       SYSTEM = "AFS OR (AFS[UNAVAIL] AND compat[SUCCESS])"
        registry = DCE
        umask = 022
        expires = 0
        logintimes =
        pwdwarntime = 0
        account_locked = false



Then /usr/lib/security/methods.cfg

AFS:
        program = /usr/vice/etc/afs_dynamic_auth

KRB5:
        program = /usr/lib/security/KRB5

KRB5files:
        options = db=BUILTIN,auth=KRB5


Finally /usr/vice/etc (ThisCell, CellServDB), and LDAP. Everything seems to work, but now I need to glue all the pieces... can you tell me if I'm doing good?

plmserver:~> ldapsearch "cn=plm"
version: 2

#
# filter: cn=plm
# requesting: ALL
#

# plm
dn: cn=plm
objectClass: top
objectClass: posixGroup
cn: plm
gidNumber: 10002
memberUid: username
description: afs plm group

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

plmserver:~> kinit username
Password for [EMAIL PROTECTED]:

plmserver:~> klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_10831
Default principal:  [EMAIL PROTECTED]

Valid starting     Expires            Service principal
03/17/05 20:48:47  03/18/05 06:48:47  krbtgt/[EMAIL PROTECTED]

plmserver:~>


--
Sensei <mailto:[EMAIL PROTECTED]> <pgp:8998A2DB>
       <icqnum:241572242>
       <yahoo!:sensei_sen>
       <msn-id:[EMAIL PROTECTED]>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to