Re: Need help for AFS+K5+LDAP

• Previous message: grapho: "Graphics adapter for p5 and OpenPower"
• In reply to: Gary Tay Teng Teck: "Re: Need help for AFS+K5+LDAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 26 Feb 2005 16:43:42 -0600

I'd suggest getting Kerberos authentication to work for local accounts
first. And then try to get LDAP working. Doing both at once is
difficult to debug.

I currently have an AIX 5.1 machine (enzo.acm.uiuc.edu) up that uses NIS
and Kerberos auth (no passwords in NIS.) I haven't yet taken the time
to enable getting AFS tokens at login, but I'm working on it. (Lack of
PAM in AIX 5.1 is a serious deficiency.)

I found this useful:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/kerberos_auth_only_load_module.htm

This may also be useful for you: http://www.feep.net/PAM/AIX/

I currently use gssklog from:
ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
to obtain AFS tokens. I just run this program manually at login.

There are various patches to have OpenSSH linked with Heimdal libs
automatically obtain AFS tokens for a user at login. I have not yet
gotten it to work on AIX 5.1. I believe there is a working OpenSSH
binary available from: http://afs.caspur.it/afs/italia/project/ssh/

my current /lib/security/methods.cfg:
NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64

DCE:
        program = /usr/vice/etc/afs_dynamic_kerbauth
        options = authonly

AFS:
        program = /usr/vice/etc/afs_dynamic_kerbauth
        options = authonly

AFSfiles:
        options = db=BUILTIN,auth=AFS

KRB5:
        program = /usr/lib/security/KRB5
        options = authonly

KRB5files:
        options = db=BUILTIN,auth=KRB5

KRB5NIS:
        options = db=NIS,auth=KRB5

And I'd suggest asking this question on the openafs-info mailing list if
you haven't already.

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin

Gary Tay Teng Teck <garyttt@singnet.com.sg> wrote:
> Not sure if the following URLs provides useful info. to you. I heard
> that IBM is de-supporting AFS? and favouring NFS? Anyway I don't use
> AIX.
> http://www.redbooks.ibm.com/redbooks/pdfs/sg246622.pdf (charpter 2/3)
> http://www.bayour.com/LDAPv3-HOWTO.html (Kerberos+LDAP+OpenAFS)
> https://www.math.gatech.edu/~dijuremo/ldap/ (Kerberos+LDAP+samba)
>
> Kerberos+OpenLDAP+OpenAFS
>
> http://www.opeafs.org/
> http://www.openldap.org/
> http://www.gentoo.org/doc/openafs.html (basic AFS configuration)
>
> http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/afs_krb5_migration.html
> http://www.padl.com/OSS/pam_ldap.html (LDAP pam)
>
> http://grand.central.org/twiki/bin/view/AFSLore/?topic=KerberosAFSInstall
> "openafs-krb5-1.3.tar.gz" http://en.tldp.org/HOWTO/LDAP-HOWTO/
> http://www.mandrakesecure.net/en/docs/ldap-auth.php (LDAP auth)
> http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/
> http://www.bayour.com/LDAPv3-HOWTO.html (Kerberos+LDAP+AFS)
> http://ofb.net/~jheiss/krbldap/ (Kerberos + LDAP)
> http://www.cesnet.cz/doc/techzpravy/2001/02/ (LDAP)
> http://www.cit.cornell.edu/computer/system/win2000/kerberos/
> http://www.natur.cuni.cz/~mmokrejs/afs/
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
>
> http://people.mandrakesoft.com/~florin/www/configs/kerberos/kerberos.html
> http://www.dice.informatics.ed.ac.uk/deploy/1_ldap.html (rozbor
> rešení) http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
> (Kerberos) http://www.kegel.com/linux/edu/fileserving.html
> http://www.saas.nsw.edu.au/solutions/ldap-auth-pam.html (LDAP)
> http://www.mathematik.uni-karlsruhe.de/~iwrmm/Persons/
> /Schulz/Unix/afs/afs-krb5.html (krb5+afs)
> http://www.fnal.gov/docs/strongauth/html/strong_authTOC.html (similar
> to Cern IT) http://diradmin.open-it.org
> http://meta.cesnet.cz/docs/descr/afs.cz.html (kerberos, afs - cesky)
> http://www.ms.mff.cuni.cz/labs/unix/ http://orion.zcu.cz/
> Gary
>
> Sensei wrote:
>> Hi.
>>
>> I'm trying to make a p650 with AIX 5.2 authenticate over our network
>> infrastructure. We have:
>>
>> - Kerberos 5 KDCs, MIT implementation
>> - OpenLDAP directory service for posixAccount and other stuff
>> - OpenAFS relying on K5 (no kaserver)
>>
>> What I'd like to do is letting our users authenticate over mit kdc,
>> get afs tokens consequently and use their afs home directory
>> specified by ldap with their specified shell (always in ldap).
>> Nothing is local. I know how to make a linux do that, using pam and
>> nss_ldap along
>> with k5 (aklog if needed). But AIX? I've been trying this.
>>
>>
>> ---==[ /lib/security/methods.cfg ]==---
>> NIS:
>> program = /usr/lib/security/NIS
>>
>> DCE:
>> program = /usr/vice/etc/afs_dynamic_auth
>>
>> AFS:
>> program = /usr/vice/etc/afs_dynamic_auth
>>
>> KRB5:
>> program = /usr/lib/security/KRB5
>>
>> KRB5files:
>> options = db=BUILTIN,auth=KRB5
>>
>>
>>
>> But it seems that kerberos wouldn't authenticate over our kdcs, the
>> configuration file krb5.conf is well written.
>>
>> Another thing which I don't know even where to start from, is LDAP.
>> How to have a similar nss_ldap for groups, ids and so on
>> (posixAccount, posixGroup).
>>
>> How to make OpenAFS get its tokens without having kaserver? Is there
>> an aklog-like thing or pam_krb5afs?
>>
>> Any help would be appreciated!

• Previous message: grapho: "Graphics adapter for p5 and OpenPower"
• In reply to: Gary Tay Teng Teck: "Re: Need help for AFS+K5+LDAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]