Last modified Feb 25 2007.
This document is neglected by Joe Anderson,
acropolis blat etrumeus daht com.
The latest version can be found at
http://deejoe.etrumeus.com/acropolis
This is version 0.5.1, as of 20070713.
Many changes to the Iowa State environment have been made
since this document was current, and support from the Iowa State
IT organization largely supersedes what is written here. Folks at the University of Michigan, Cornell University,
North Carolina State University, and the Massachusetts Institute
of Technology, among others, have almost certainly dealt with
these issues as well, and have had and may still have
documentation available on the web you might find useful.
Inspection of the default cells in the code for RedHat's
pam_krb5afs.so, for example, suggests that the code in that
package was put together at NCSU. No surprise there, since
RedHat's World HQ and NCSU are only a few miles from each other!
Steve Langasek, Chris Campbell, Kevin Puetz, Tracy Di Marco White,
John Hascall, Dave Edsall, Landon Evans, Thomas Kula and perhaps a few
others that I'm unfortunately forgetting have been very helpful and
inspirational, both through f2f discussion and via the aafugit@aafugit.org
mailing list, in my quests to get my machines working with Kerberos and AFS
and in spreading the good word of ubiquitous (or, at least, campuswide)
coordinated logins. Proper credits should also be available in the RPM
packages listed below for their contributors.
This document is based on my ongoing installation and configuration
experience of the software mentioned below, primarily on Mandrake 7.1 and
Redhat 6.2 systems for use in the IASTATE.EDU cell.
I hope this is helpful, but I am no way responsible if
it is not helpful or even causes you some trouble!
Furthermore, the department of Academic Information Technologies (aka
AIT, the department formerly known as the Computation Center, aka Comp
Center) may have people willing to help with this as well, but the software
and functionality described is not, as far as I know, officially supported
by them yet. So please keep comments regarding, and request for help from,
AIT respectful rather than expectful. I do not represent AIT in any
fashion.
Developments since Steve Langasek wrote the PV-HOWTO include the
more widespread availability in "stable" distributions of krb5 packages for
rpm-based systems such as RedHat, Mandrake, and SuSE, and possibly also for
Debian-based systems (Steve has mentioned that the deb packages are now just
about all in the unstable branch of Debian, ie, post Debian 2.2). Also
since then has come the rollout of Windows 2000, which has in my opinion
increased interest and awareness of Kerberos 5. And, most recently,
IBM/Transarc has announce an Open Source fork of AFS (see References).
Needed:
Useful:
The software in the Needed list will allow you to mount
AFS directories. The software in the Useful list will allow you
to automatically mount AFS directories as users' home
directories.
PAM, Kerberos, and hesiod alone can be used to authenticate users
for giving them access to your local machine's resources, without
necessarily using AFS. In this scenario, you need to create a local /home
directory for users and ensure that uid's are consistent between your
machine and the hesiod database, if they are logging in either at the
console or remotely (via ssh, for instance). If you are giving them access
to another service, then your needs depend on the nature of that service.
We are, for example, using kerberos authentication to grant access to
certain web directories. This doesn't require mounting of any home
directory for the user. It does, however, require some care to use SSL so
that the kerberos password doesn't go in the clear to the web server (among
other concerns).
AFS requires Kerberos 4 tickets. One can use the MIT Kerberos 4
packages or the kth-krb4 packages to get these tickets. However, Kerberos 5
is the "wave of the future". Kerberos 5 tickets can be converted to
Kerberos 4 tickets with a utility called krb524init which is included, for
instance, in the Kerberos packages shipping with RedHat, and I would guess,
is also available in other Kerberos 5 packages and implementations, such as
the MIT source code, the Heimdahl source code, and Debian 2.2 packages. The
PAM module pam_krb5afs can also get Kerberos 4 tickets for use in getting
AFS tokens.
Your system time needs to be sufficiently close to the
time the Kerberos servers think it is in order for you to get
tickets and for those tickets to work. rdate or netdate or
xntpd can be used to keep your system time reasonably in sync
with time.iastate.edu or other time servers of your choice. In
my experience, frobbing around with the RedHat time settings
using timeconfig was also necessary to get the time zone
settings right.
krb5.conf needs to be configured to work with the
domain/realm (I'm still unclear of the distinction here) of your
choice, in this case IASTATE.EDU.
To use AFS, krb.conf (the Kerberos 4 config file) also
needs to be configured, though it is smaller and simpler.
/etc/pam.d/ You need to use automount if you want AFS directories to appear as
home directories automagically (managed, at least on RedHat,
by the autofs init.d script). /etc/auto.master needs to be
configured to have hesiod automount users /home directories
Also if you want AFS homedirectories, you need to have nsswitch.conf configured to direct
passwd-type lookups to hesiod. The passwd record (from the Hesiod
database) despite the name is used in this case to find the user's
home directory, uid and gid, rather than the user's password.
Kerberos deals with the password. See this email for a
bit more info on the subject. For this to work, hesiod.conf needs to be
configured.
In my experience, the invocation of arlad from within
/etc/rc.d/init.d/arla needed to changed from the form I found in
the rpms to the new form, which works also in the startarla
script:
The first is the need to compile the arla kernel module for
one's specific kernel. This requires in turn that some kernel files need to
be installed, that the arla spec file might need to be tweaked, and in
general that certain other files/packages be installed. This manual
dependency checking and fulfillment requires a bit more attention than the
quite easy "fetch a binary package and install it with a package manager"
cycle. The OpenAFS packages for Linux almost makes this a trivial, turn-key
process, but not entirely.
The second big gotcha is that, with the changeover of
the AAFUGIT server, I'm not sure that one can readily get the
source for the autofs-hesiod modules. The binary packages I had
from before the switch still work for me, but I don't know how
widely they will work for others. (Again, this email
addresses this concern somewhat).
The third big gotcha is that users end up using the same
shell and dotfiles and all machines, and that a "universal" set
of dotfiles that does everything properly on both Acropolis
hosts and on locally Acropolis-enabled hosts might take some
development. I've copied over /usr/athena/lib/init onto my
local Acropolis-enabled hosts so that I can tweak them locally,
but still take advantage of what the AIT system's group deems to
be useful on their machines. In general, this has the
double-edged advantages/disadvantages of being highly
configurable yet highly contrained by the close coupling
invovled in using the same set of user files across platforms.
The most intractable problem I've found so far regarding dotfiles has
been an alias defined for "telnet" in most user's .cshrc.mine file in their
AFS space, specifically:
A fourth gotcha is that, if you are going to be using PAM at all, you
have to be careful with the configuration--the examples I offer aren't
optimal at all. In some cases, I've found myself logging out as a user, or
as root, and not able to log back in again, and having to boot the machine
with a rescue disk or similar to change the configuration. Tread carefully
here. To save yourself hassle, test your /etc/pam.d/login script on a
separate virtual terminal before logging-out of the one in which you did the
editing. If you can get in via login, then at least you can fix problems
with /etc/pam.d/sshd or /etc/pam.d/xdm and so forth (assuming you have
physical access to the machine, rather than doing this remotely!)
$cat /proc/version
Linux version 2.2.16-9mdk (chmou@mururoa.us.mandrakesoft.com) (gcc version
2.95.3 19991030 (prerelease)) #1 Thu Jun 22 17:04:01 PDT 2000
$rpm -qa | grep krb
krb5-configs-1.1.1-12
krbafs-1.0-3
krbafs-utils-1.0-3
krb5-libs-1.1.1-12
krb5-server-1.1.1-12
krb5-devel-1.1.1-12
krb5-workstation-1.1.1-12
pam_krb5-1-7
$rpm -qa | grep hesiod
autofs-hesiod-3.1.3-10
hesiod-3.0.2-2
$rpm -qa | grep arla
arla-0.33.1-3
arla-kernel-2.2.16-9mdk-nosmp-0.33.1-3
CellServDB is a file over 700 lines long at the time of this writing. It
should include the following entries for ISU:
For OpenBSD, Tom has that covered for setting up kerberized telnet, but
with FreeBSD you have to do something a little bit different:
See the list of references for a link to Thomas Kula's instructions for
OpenBSD
Some minor wording tweaks.
2007-07-13 0.5.2 changed some contact information
2002-02-25 0.5
I don't know what I did for 0.4. Anyway, I moved around some
<pre>
and <code> tags to get the examples to look right in graphical browsers
(or in Opera, at least).
Put back in Landon's comments about FreeBSD, which had dropped out
somehow (maintainer error, for sure).
2001-05-15 0.4
Added the Other Operating Systems section, and
included therein a Landon Evan's contribution regarding FreeBSD.
2001-04-28 0.3
Added changlog. Added a fourth "big gotcha" about avoiding inadvertent PAM
lockouts. Added an "About this document" section as part of attempt to
begin regularizing this doc. Something still wrong near the pam.d/sshd example
file that breaks Konqueror, but ok in lynx and netscape. Added link to
AcropolisTalk.ppt.
http://www.ait.iastate.edu/pubs/gng255/
Copyright (c) 2000-2007 by D. Joe Anderson
Please freely copy and distribute (sell or give away) this
document in any format. It's requested that corrections
and/or comments be fowarded to the document maintainer. You
may create a derivative work and distribute it provided that
you:
If you're considering making a derived work other than a
translation, it's requested that you discuss your plans with
the current maintainer.
List of example files
About this document
Acknowledgements
Steve Langasek's PV-HOWTO covers most of this, available at:
Introduction & Rationale
Some "gotchas":
daemon $BINDIR/arlad --sysname=i386_linux3 #old invocation
daemon $BINDIR/arlad -z #new invocation
The are three big "gotchas" in my opinion:
In my own AFS space, I've commented that out. If you are the only user you
have to worry about, this fix should work. If you have other users, then
you've got problems. The trivial fix is to invoke telnet from the command
line with the full pathname (/usr/kerberos/bin/telnet). Other options
include making alias or desktop icons that invoke the proper binary.
alias telnet 'title \!:*; /usr/ucb/telnet; cd .
Examples
RPMs
krb.conf
$cat /etc/krb.conf
IASTATE.EDU
IASTATE.EDU kerberos-1.iastate.edu admin server
IASTATE.EDU kerberos-2.iastate.edu
BOGUS.IASTATE.EDU genuinely.bogus.iastate.edu admin server
SICS.SE kerberos.sics.se admin server
NADA.KTH.SE kerberos.nada.kth.se admin server
NADA.KTH.SE sysman.nada.kth.se
NADA.KTH.SE server.nada.kth.se
ADMIN.KTH.SE ulysses.admin.kth.se admin server
ADMIN.KTH.SE graziano.admin.kth.se
ADMIN.KTH.SE montano.admin.kth.se
BION.KTH.SE chaplin.bion.kth.se admin server
DSV.SU.SE ssi.dsv.su.se admin server
DSV.SU.SE vall.dsv.su.se
E.KTH.SE kerberos.e.kth.se admin server
E.KTH.SE kerberos-1.e.kth.se
E.KTH.SE kerberos-2.e.kth.se
IT.KTH.SE kerberos.it.kth.se
IT.KTH.SE kerberos-1.it.kth.se
IT.KTH.SE kerberos-2.it.kth.se
MECH.KTH.SE kerberos.mech.kth.se admin server
KTH.SE kth.se admin server
ML.KVA.SE gustava.ml.kva.se admin server
PI.SE liszt.adm.pi.se admin server
STACKEN.KTH.SE kerberos.stacken.kth.se admin server
SUNET.SE kerberos.sunet.se admin server
CYGNUS.COM kerberos.cygnus.com admin server
CYGNUS.COM kerberos-1.cygnus.com
CYGNUS.COM dumb.cygnus.com
DEVO.CYGNUS.COM dumber.cygnus.com admin server
MIRKWOOD.CYGNUS.COM mirkwood.cygnus.com admin server
KITHRUP.COM KITHRUP.COM admin server
ATHENA.MIT.EDU kerberos.mit.edu admin server
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu admin server
SMS_TEST.MIT.EDU dodo.mit.edu admin server
LS.MIT.EDU ls.mit.edu admin server
IFS.UMICH.EDU kerberos.ifs.umich.edu
CS.WASHINGTON.EDU hawk.cs.washington.edu
CS.WASHINGTON.EDU aspen.cs.washington.edu
CS.BERKELEY.EDU okeeffe.berkeley.edu
SOUP.MIT.EDU soup.mit.edu admin server
TELECOM.MIT.EDU bitsy.mit.edu
MEDIA.MIT.EDU kerberos.media.mit.edu
NEAR.NET kerberos.near.net
CATS.UCSC.EDU mehitabel.ucsc.edu admin server
CATS.UCSC.EDU ucsch.ucsc.edu
WATCH.MIT.EDU kerberos.watch.mit.edu admin server
TELEBIT.COM napa.telebit.com. admin server
ARMADILLO.COM monad.armadillo.com admin server
TOAD.COM toad.com admin server
ZEN.ORG zen.org admin server
LLOYD.COM harry.lloyd.com admin server
EPRI.COM kerberos.epri.com admin server
EPRI.COM kerberos-2.epri.com
krb5.conf
$cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = IASTATE.EDU
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
IASTATE.EDU = {
kdc = kerberos-1.iastate.edu:88
kdc = kerberos-2.iastate.edu:88
admin_server = kerberos-1.iastate.edu:749
default_domain = iastate.edu
}
[domain_realm]
.iastate.edu = IASTATE.EDU
iastate.edu = IASTATE.EDU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
afs_cells = iastate.edu
required_tgs = deejoe
hesiod.conf
$cat /etc/hesiod.conf
# This file determines the behavior of the Hesiod library.
# This line should pretty much always be the same, unless you have a
# funny environment.
lhs=.ns
# This determines the Hesiod domain. You must specify an rhs line.
rhs=.IASTATE.EDU
# This line specifies the class search order. You can reverse the
# order or leave out IN or HS if you want. Don't add spaces after the
# beginning of the value.
classes=HS,IN
CellServDB
A copy of CellServDB can be found in the free-unix locker on Project
Acropolis (on an isua machine, "add free-unix" then "ls /home/free-unix").
There is also a script there, daily.CellServDB, for updating CellServDB.
>iastate.edu # Iowa State University
129.186.1.243 #afsdb-1.iastate.edu
129.186.6.243 #afsdb-2.iastate.edu
129.186.142.243 #afsdb-3.iastate.edu
auto.master
$cat /etc/auto.master
# $Id: auto.master,v 1.2 1997/10/06 21:52:03 hpa Exp $
# Sample auto.master file
# Format of this file:
# mountpoint map options
# For details of the format look at autofs(8).
#/misc /etc/auto.misc
#/home /etc/auto.home
/home hesiod
nsswitch.conf
$cat /etc/nsswitch.conf
passwd: files hesiod #nisplus nis
shadow: files #hesiod nisplus nis
group: files hesiod #nisplus nis
hosts: files dns #nisplus nis dns
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files #hesiod nisplus
aliases: files #nisplus
pam_login
$cat /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_unix.so
auth required /lib/security/pam_krb5.so use_first_pass
auth required /lib/security/pam_krb5afs.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_unix.so use_authtok \
md5 shadow
password required /lib/security/pam_krb5.so use_authtok \
try_first_pass
session required /lib/security/pam_unix.so
session required /lib/security/pam_krb5.so
session sufficient /lib/security/pam_krb5afs.so
session optional /lib/security/pam_console.so
pam_sshd
# cat /etc/pam.d/sshd
#%PAM-1.0
#auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_unix.so
auth required /lib/security/pam_krb5.so use_first_pass
auth required /lib/security/pam_krb5afs.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_unix.so use_authtok \
md5 shadow
password required /lib/security/pam_krb5.so use_authtok \
try_first_pass
session required /lib/security/pam_unix.so
session required /lib/security/pam_krb5.so
session sufficient /lib/security/pam_krb5afs.so
session optional /lib/security/pam_console.so
access.conf
# tail -2 /etc/security/access.conf
+:slater travolta cage cast :ALL
athena_cshrc
$cat /usr/athena/lib/init/cshrc
# /etc/cshrc
#
# csh configuration for all shell invocations. Currently, a prompt.
#This is the mdk71 csh, with stuff from PV added, dja Sat Aug 19 17:01:25 CDT 2000
[ "`id -u`" = "0" ] && limit coredumpsize 1000000
if ($?prompt) then
if ($?tcsh) then
set prompt='[%n@%m %c]$ '
#--lines cribbed from PV /usr/athena/lib/init/cshrc
set history = 20 # Number of commands saved as history
set cdpath = (~) # Path to search for directory changes
set interactive # Provide shell variable for compatability
set rmstar # Provide "rm *" protection
#--
else
set prompt=\[`id -nu`@`hostname -s`\]\$\
endif
endif
# alias for a convenient way to change terminal type
alias term 'set noglob; unsetenv TERMCAP; eval `tset -s -I -Q - \!*`'
#if ((! $?NOCALLS) && (-r $HOME/.cshrc.mine)) source $HOME/.cshrc.mine
echo "system cshrc done"
References
Other Operating Systems
1. cvsup new source if you don't have it already
2. cd /usr/src/kerberosIV;make all install
3. ldd `which telnet` to view if libkrb.so.3 is being used.
4. Then do the same things that Tom tells to do for OpenBSD
Changelog
Date: Wed, 27 Sep 2000 11:20:50 -0500 (CDT)
From: Steve Langasek