Linux-RPM-AFS-kerberos-mini-HOWTO --or-- Linux-Acropolis-Enabling-mini-HOWTO

List of example files

About this document

Last modified Feb 25 2007.

This document is neglected by Joe Anderson, acropolis blat etrumeus daht com.

The latest version can be found at

This is version 0.5.1, as of 20070713.

Many changes to the Iowa State environment have been made since this document was current, and support from the Iowa State IT organization largely supersedes what is written here.


Steve Langasek's PV-HOWTO covers most of this, available at:

Folks at the University of Michigan, Cornell University, North Carolina State University, and the Massachusetts Institute of Technology, among others, have almost certainly dealt with these issues as well, and have had and may still have documentation available on the web you might find useful. Inspection of the default cells in the code for RedHat's, for example, suggests that the code in that package was put together at NCSU. No surprise there, since RedHat's World HQ and NCSU are only a few miles from each other!

Steve Langasek, Chris Campbell, Kevin Puetz, Tracy Di Marco White, John Hascall, Dave Edsall, Landon Evans, Thomas Kula and perhaps a few others that I'm unfortunately forgetting have been very helpful and inspirational, both through f2f discussion and via the mailing list, in my quests to get my machines working with Kerberos and AFS and in spreading the good word of ubiquitous (or, at least, campuswide) coordinated logins. Proper credits should also be available in the RPM packages listed below for their contributors.

Introduction & Rationale

This document is based on my ongoing installation and configuration experience of the software mentioned below, primarily on Mandrake 7.1 and Redhat 6.2 systems for use in the IASTATE.EDU cell.

I hope this is helpful, but I am no way responsible if it is not helpful or even causes you some trouble!

Furthermore, the department of Academic Information Technologies (aka AIT, the department formerly known as the Computation Center, aka Comp Center) may have people willing to help with this as well, but the software and functionality described is not, as far as I know, officially supported by them yet. So please keep comments regarding, and request for help from, AIT respectful rather than expectful. I do not represent AIT in any fashion.

Developments since Steve Langasek wrote the PV-HOWTO include the more widespread availability in "stable" distributions of krb5 packages for rpm-based systems such as RedHat, Mandrake, and SuSE, and possibly also for Debian-based systems (Steve has mentioned that the deb packages are now just about all in the unstable branch of Debian, ie, post Debian 2.2). Also since then has come the rollout of Windows 2000, which has in my opinion increased interest and awareness of Kerberos 5. And, most recently, IBM/Transarc has announce an Open Source fork of AFS (see References).



The software in the Needed list will allow you to mount AFS directories. The software in the Useful list will allow you to automatically mount AFS directories as users' home directories.

PAM, Kerberos, and hesiod alone can be used to authenticate users for giving them access to your local machine's resources, without necessarily using AFS. In this scenario, you need to create a local /home directory for users and ensure that uid's are consistent between your machine and the hesiod database, if they are logging in either at the console or remotely (via ssh, for instance). If you are giving them access to another service, then your needs depend on the nature of that service. We are, for example, using kerberos authentication to grant access to certain web directories. This doesn't require mounting of any home directory for the user. It does, however, require some care to use SSL so that the kerberos password doesn't go in the clear to the web server (among other concerns).

AFS requires Kerberos 4 tickets. One can use the MIT Kerberos 4 packages or the kth-krb4 packages to get these tickets. However, Kerberos 5 is the "wave of the future". Kerberos 5 tickets can be converted to Kerberos 4 tickets with a utility called krb524init which is included, for instance, in the Kerberos packages shipping with RedHat, and I would guess, is also available in other Kerberos 5 packages and implementations, such as the MIT source code, the Heimdahl source code, and Debian 2.2 packages. The PAM module pam_krb5afs can also get Kerberos 4 tickets for use in getting AFS tokens.

Some "gotchas":

Your system time needs to be sufficiently close to the time the Kerberos servers think it is in order for you to get tickets and for those tickets to work. rdate or netdate or xntpd can be used to keep your system time reasonably in sync with or other time servers of your choice. In my experience, frobbing around with the RedHat time settings using timeconfig was also necessary to get the time zone settings right.

krb5.conf needs to be configured to work with the domain/realm (I'm still unclear of the distinction here) of your choice, in this case IASTATE.EDU.

To use AFS, krb.conf (the Kerberos 4 config file) also needs to be configured, though it is smaller and simpler.

/etc/pam.d/ needs to be configured to use the and modules, typically put in /lib/security, in order to allow logging in with Acropolis IDs.

You need to use automount if you want AFS directories to appear as home directories automagically (managed, at least on RedHat, by the autofs init.d script). /etc/auto.master needs to be configured to have hesiod automount users /home directories

Also if you want AFS homedirectories, you need to have nsswitch.conf configured to direct passwd-type lookups to hesiod. The passwd record (from the Hesiod database) despite the name is used in this case to find the user's home directory, uid and gid, rather than the user's password. Kerberos deals with the password. See this email for a bit more info on the subject. For this to work, hesiod.conf needs to be configured.

In my experience, the invocation of arlad from within /etc/rc.d/init.d/arla needed to changed from the form I found in the rpms to the new form, which works also in the startarla script:

     daemon $BINDIR/arlad --sysname=i386_linux3  #old invocation
     daemon $BINDIR/arlad -z                     #new invocation

The are three big "gotchas" in my opinion:

The first is the need to compile the arla kernel module for one's specific kernel. This requires in turn that some kernel files need to be installed, that the arla spec file might need to be tweaked, and in general that certain other files/packages be installed. This manual dependency checking and fulfillment requires a bit more attention than the quite easy "fetch a binary package and install it with a package manager" cycle. The OpenAFS packages for Linux almost makes this a trivial, turn-key process, but not entirely.

The second big gotcha is that, with the changeover of the AAFUGIT server, I'm not sure that one can readily get the source for the autofs-hesiod modules. The binary packages I had from before the switch still work for me, but I don't know how widely they will work for others. (Again, this email addresses this concern somewhat).

The third big gotcha is that users end up using the same shell and dotfiles and all machines, and that a "universal" set of dotfiles that does everything properly on both Acropolis hosts and on locally Acropolis-enabled hosts might take some development. I've copied over /usr/athena/lib/init onto my local Acropolis-enabled hosts so that I can tweak them locally, but still take advantage of what the AIT system's group deems to be useful on their machines. In general, this has the double-edged advantages/disadvantages of being highly configurable yet highly contrained by the close coupling invovled in using the same set of user files across platforms.

The most intractable problem I've found so far regarding dotfiles has been an alias defined for "telnet" in most user's .cshrc.mine file in their AFS space, specifically:

	alias telnet 'title \!:*; /usr/ucb/telnet; cd .

In my own AFS space, I've commented that out. If you are the only user you have to worry about, this fix should work. If you have other users, then you've got problems. The trivial fix is to invoke telnet from the command line with the full pathname (/usr/kerberos/bin/telnet). Other options include making alias or desktop icons that invoke the proper binary.

A fourth gotcha is that, if you are going to be using PAM at all, you have to be careful with the configuration--the examples I offer aren't optimal at all. In some cases, I've found myself logging out as a user, or as root, and not able to log back in again, and having to boot the machine with a rescue disk or similar to change the configuration. Tread carefully here. To save yourself hassle, test your /etc/pam.d/login script on a separate virtual terminal before logging-out of the one in which you did the editing. If you can get in via login, then at least you can fix problems with /etc/pam.d/sshd or /etc/pam.d/xdm and so forth (assuming you have physical access to the machine, rather than doing this remotely!)



$cat /proc/version Linux version 2.2.16-9mdk ( (gcc version 2.95.3 19991030 (prerelease)) #1 Thu Jun 22 17:04:01 PDT 2000 $rpm -qa | grep krb krb5-configs-1.1.1-12 krbafs-1.0-3 krbafs-utils-1.0-3 krb5-libs-1.1.1-12 krb5-server-1.1.1-12 krb5-devel-1.1.1-12 krb5-workstation-1.1.1-12 pam_krb5-1-7 $rpm -qa | grep hesiod autofs-hesiod-3.1.3-10 hesiod-3.0.2-2 $rpm -qa | grep arla arla-0.33.1-3 arla-kernel-2.2.16-9mdk-nosmp-0.33.1-3


$cat /etc/krb.conf
IASTATE.EDU admin server
BOGUS.IASTATE.EDU admin server
SICS.SE admin server
NADA.KTH.SE admin server
ADMIN.KTH.SE admin server
BION.KTH.SE admin server
DSV.SU.SE admin server
E.KTH.SE admin server
MECH.KTH.SE admin server
KTH.SE admin server
ML.KVA.SE admin server
PI.SE admin server
STACKEN.KTH.SE admin server
SUNET.SE admin server
CYGNUS.COM admin server
DEVO.CYGNUS.COM admin server
ATHENA.MIT.EDU admin server
LCS.MIT.EDU admin server
SMS_TEST.MIT.EDU admin server
LS.MIT.EDU admin server
SOUP.MIT.EDU admin server
CATS.UCSC.EDU admin server
WATCH.MIT.EDU admin server
TELEBIT.COM admin server
ARMADILLO.COM admin server
TOAD.COM admin server
ZEN.ORG admin server
LLOYD.COM admin server
EPRI.COM admin server


$cat /etc/krb5.conf
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 ticket_lifetime = 24000
 default_realm = IASTATE.EDU
 default_tkt_enctypes = des-cbc-crc
 default_tgs_enctypes = des-cbc-crc

  kdc =
  kdc =
  admin_server =
  default_domain =

[domain_realm] = IASTATE.EDU = IASTATE.EDU

 profile = /var/kerberos/krb5kdc/kdc.conf

 debug = true
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = true
 afs_cells =
 required_tgs = deejoe


$cat /etc/hesiod.conf
# This file determines the behavior of the Hesiod library.
# This line should pretty much always be the same, unless you have a
# funny environment.
# This determines the Hesiod domain.  You must specify an rhs line.
# This line specifies the class search order.  You can reverse the
# order or leave out IN or HS if you want.  Don't add spaces after the
# beginning of the value.

CellServDB is a file over 700 lines long at the time of this writing. It should include the following entries for ISU:


>               # Iowa State University       

A copy of CellServDB can be found in the free-unix locker on Project Acropolis (on an isua machine, "add free-unix" then "ls /home/free-unix"). There is also a script there, daily.CellServDB, for updating CellServDB.


$cat /etc/auto.master
# $Id: auto.master,v 1.2 1997/10/06 21:52:03 hpa Exp $
# Sample auto.master file
# Format of this file:
# mountpoint map options
# For details of the format look at autofs(8).
#/misc	/etc/auto.misc
#/home   /etc/auto.home  
/home hesiod


$cat /etc/nsswitch.conf

passwd:     files hesiod #nisplus nis
shadow:     files #hesiod nisplus nis
group:      files hesiod #nisplus nis

hosts:      files dns #nisplus nis dns

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files #hesiod nisplus
aliases:    files #nisplus


$cat /etc/pam.d/login

auth       required       /lib/security/
auth       required       /lib/security/
auth       sufficient     /lib/security/
auth       required       /lib/security/ use_first_pass
auth       required       /lib/security/
account    required       /lib/security/
password   required       /lib/security/
password   sufficient     /lib/security/ use_authtok \
                               md5 shadow
password   required       /lib/security/ use_authtok \
session    required       /lib/security/
session    required       /lib/security/
session    sufficient       /lib/security/
session    optional       /lib/security/


# cat /etc/pam.d/sshd

#auth       required       /lib/security/
auth       required       /lib/security/
auth       sufficient     /lib/security/
auth       required       /lib/security/ use_first_pass
auth       required       /lib/security/
account    required       /lib/security/
account    required        /lib/security/
password   required       /lib/security/
password   sufficient     /lib/security/ use_authtok \
                               md5 shadow
password   required       /lib/security/ use_authtok \
session    required       /lib/security/
session    required       /lib/security/
session    sufficient       /lib/security/
session    optional       /lib/security/


# tail -2 /etc/security/access.conf

+:slater travolta cage cast :ALL


$cat /usr/athena/lib/init/cshrc
# /etc/cshrc
# csh configuration for all shell invocations. Currently, a prompt.
#This is the mdk71 csh, with stuff from PV added, dja Sat Aug 19 17:01:25 CDT 2000

[ "`id -u`" = "0" ] && limit coredumpsize 1000000

if ($?prompt) then
  if ($?tcsh) then
    set prompt='[%n@%m %c]$ ' 
#--lines cribbed from PV /usr/athena/lib/init/cshrc
        set history = 20        #  Number of commands saved as history
        set cdpath = (~)        #  Path to search for directory changes
        set interactive         #  Provide shell variable for compatability
        set rmstar              #  Provide "rm *" protection
    set prompt=\[`id -nu`@`hostname -s`\]\$\ 

#   alias for a convenient way to change terminal type
alias term 'set noglob; unsetenv TERMCAP; eval `tset -s -I -Q - \!*`'

#if ((! $?NOCALLS) && (-r $HOME/.cshrc.mine)) source $HOME/.cshrc.mine

echo "system cshrc done"


Other Operating Systems

For OpenBSD, Tom has that covered for setting up kerberized telnet, but with FreeBSD you have to do something a little bit different:

1. cvsup new source if you don't have it already
2. cd /usr/src/kerberosIV;make all install 
3. ldd `which telnet` to view if is being used.
4. Then do the same things  that Tom tells to do for OpenBSD

See the list of references for a link to Thomas Kula's instructions for OpenBSD


Some minor wording tweaks.

2007-07-13 0.5.2 changed some contact information

2002-02-25 0.5

I don't know what I did for 0.4. Anyway, I moved around some <pre> and <code> tags to get the examples to look right in graphical browsers (or in Opera, at least).

Put back in Landon's comments about FreeBSD, which had dropped out somehow (maintainer error, for sure).

2001-05-15 0.4

Added the Other Operating Systems section, and included therein a Landon Evan's contribution regarding FreeBSD.

2001-04-28 0.3

Added changlog. Added a fourth "big gotcha" about avoiding inadvertent PAM lockouts. Added an "About this document" section as part of attempt to begin regularizing this doc. Something still wrong near the pam.d/sshd example file that breaks Konqueror, but ok in lynx and netscape. Added link to AcropolisTalk.ppt.

Copyright (c) 2000-2007 by D. Joe Anderson

Please freely copy and distribute (sell or give away) this document in any format. It's requested that corrections and/or comments be fowarded to the document maintainer. You may create a derivative work and distribute it provided that you:

If you're considering making a derived work other than a translation, it's requested that you discuss your plans with the current maintainer.

Date: Wed, 27 Sep 2000 11:20:50 -0500 (CDT)
From: Steve Langasek 
Subject: Re: [AAFUGIT] Linux From Scratch

On Wed, 27 Sep 2000, D. Joe Anderson wrote:

> Make sure to include hesiod-aware nsswitch stuff, and you'll need to have
> hesiod-aware autofs, which as far as I can tell is only available in
> Steve's autofs-hesiod package--I don't know if that's made it upstream or
> not.

autofs is in fact hesiod-aware already, it's just that most of the binary
packages you'll find don't have it compiled in because hesiod is
autodetected at build-time.

Steve Langasek
postmodern programmer