LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   obtain Kerberos afs ticket automatically at login (http://www.linuxquestions.org/questions/linux-networking-3/obtain-kerberos-afs-ticket-automatically-at-login-730365/)

OkoSanto 06-03-2009 05:51 AM

obtain Kerberos afs ticket automatically at login
 
Hi,

I've successfully installed & configured the openafs client. By running
Code:

klog.afs -principal "username"
and giving my password, I get afs access rights to my folder at the university. I'd like to have this happening automatically after login (I mean login on my local machine). Is there any way to script this? (putting a script in /etc/init.d for example?). I tried running an expect script to issue the klog.afs command, but when putting it in /etc/init.d/, it doesn't seem to work (access to my afs folder denied).

I'm confused as to how kerberos tokens relate to local users. If a script in /etc/init.d gets a kerberos token, is the token bound to the root on my machine, or is it also valid for my uid?

irishbitte 06-03-2009 06:34 AM

I'm guessing you're using wireless, right? In this case, the wireless connection is made once you have logged in. What you possibly can do is add your startup script to the login scripts, after the 'iwconfig' script.

OkoSanto 06-03-2009 07:34 AM

No, I'm using an ethernet connection on this machine, so I should be connected rightaway.

Can you give some more hints? At this point, I don't even know what a script that accomplishes this should look like... Before I had the following expect script
Code:

spawn su <local username>                     
spawn klog.afs -principal <remote username>   
expect "Password:*"                 
send -- "<password>\r"                 
expect eof

which I called from a script in /etc/init.d, i.e.
Code:

#!/bin/bash
expect klogscript

This procedure didn't work, but calling the expect script manually after startup, did grant me access to afs

irishbitte 06-03-2009 06:39 PM

Ok, I've tried reading up on this, and I don't have an AFS server to test on, but I do know that it is possible to configure PAM modules for kerberos: /etc/krb5.conf is the starting point. Are your user name and password for AFS the same as your local machine? It may be possible to automatically mount the AFS server using a PAM module.

Definitely you need to look at doing what is described here: http://help.unc.edu/6370 adjusting for your own local parameters.

OkoSanto 06-04-2009 08:06 AM

PAM seems to be the way to go, if I want to access my system + afs with a single login. But it's quite a complicated procedure, and it seems that doing things with my level of understanding, could cause some complications (notably me being unable to login again if I screw up the settings...). I'm going to have to postpone this until I have the time to study it more carefully. (If I want to, I don't necessarily want to become a professional unix sysadmin :) Seems this afs is not really meant for the casual home user anymore )

irishbitte 06-04-2009 05:34 PM

Well, an easy way to ensure that you don't lock yourself out, is create another user on your system with sudo rights, that is, add that new user to the admin group. That way, you can play with your main account, and you have a backdoor to reset things if it all goes wrong. PAM is not that difficult to setup, the problem is testing the setup.

Take a look at this link, this guy seems to have gone through similar things to you: http://www.alittletooquiet.net/text/kerberos-on-ubuntu/

OkoSanto 06-05-2009 07:18 AM

Yes, after reading some things about PAM, I'm also feeling less intimidated ;) .

If I get this right, adding only entries with control "sufficient" or "optional", could also never have the effect of locking me out, right? I suppose adding the wrong entries as "sufficient" could render my system vulnerable to attackers,but security is not really an issue at the moment (I'm mostly playing around with the configs anyway).

OkoSanto 06-05-2009 08:13 AM

Ok, its actually pretty easy once you ignore the warnings the like of "you'll lose access to your system if you screw this up!!!" For future reference, I'll give a brief account here.

There are more than a couple of things I don't understand or I'm not sure of, so if you have comments and corrections, please speak up! :)

apart from the usual (openafs client, kerberos-stuff I already forgot), you need the PAMs pam_krb5 and pam_openafs_session (available on debian and ubuntu as libpam_krb5 and libpam_openafs_session, respectively).

With those PAMs installed, you need to modify the right files in /etc/pam.d . I practically always use KDE and therefore only modified /etc/pam.d/kdm (remark/question: I think this also guarantees that, if I screwed up, I could still use normal login, i.e. through a terminal, and undo the damage??). I think gnome users should modify some file called "/etc/pam.d/gdm" etc?

Anyway, you add some lines to kdm which basically call pam_krb5 and make it obtain a kerberos ticket at login (by encoding the password you type at login and sending it to the kerberos host. Your local password therefore needs to be the same as your password at the kerberos service!) and manage it until the end of your session, as well as a line which calls pam_openafs_session, which gets an afs token from your kerberos ticket.

My /etc/pam.d/kdm therefore looks like this:
Code:

auth    sufficient      pam_krb5.so minimum_uid=1001
auth    optional        pam_openafs_session.so program=/usr/bin/aklog
auth      required    pam_nologin.so
auth      required    pam_env.so readenv=1
auth      required    pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
session    required    pam_limits.so

account sufficient      pam_krb5.so minimum_uid=1001
@include common-account

password sufficient    pam_krb5.so ignore_root debug minimum_uid=1001
@include common-password

session optional pam_krb5.so ignore_root debug minimum_uid=1001
session optional pam_openafs_session.so program=/usr/bin/aklog
@include common-session

where only the lines containing pam_krb5.so and pam_openafs_session.so were added. The thing with minimum_uid serves to guarantee that user nr. 1000 as well as root stay unaffected (is this correct?), in case something goes wrong.

Important bits:
  • make sure your /etc/krb5.conf configuration file is correct (set your default_realm)), you can check this first by observing that the terminal commands kinit and aklog don't return errors.
  • your local password needs to be the same as the password of the afs account you want to login to (I believe? But what about username?)

Some links:
http://www.alittletooquiet.net/text/kerberos-on-ubuntu/(example pam_krb5 setup) (a hint from irishbitte)
http://en.gentoo-wiki.com/wiki/OpenA...h_MIT_Kerberos(the most detailed guide I could find, actually explaining all of the above)
http://www.scl.ameslab.gov/scl_user_info/debian.html(openafs setup)
http://web.mit.edu/AFS/sipb/project/.../README.Debian(openafs and Debian and therefore prob. Ubuntu, too)
http://content.hccfl.edu/pollock/AUnix2/PAM-Help.htm(a good page explaining some the concepts and workings of PAMs)

irishbitte 06-05-2009 02:40 PM

You're making good progress, sounds great. I'm not exactly sure how AFS works as an implementation, but I imagine that the username / password combo would need to be the same as that on your default kerberos realm. I'm really not certain. It is the golden prize in computing at the moment to develop a Single Sign On system, that will mean you would only need to sign on once at the start of a session, and all the services you use are tied to that Single Sign On. The security aspect is a nightmare, but for convenience? Fantastic!

OkoSanto 06-06-2009 04:51 AM

Yes, right now, it works as I wanted it to, though I had to create a new user on my local machine with the same username as I have on the remote machine. I believe there are some krb5.conf options you can set to translate local usernames to remote usernames for this purpose, but I don't quite understand them yet. And anyway, it's time for me to get some actual work done instead of playing with the configuration ;) .

to be continued, I guess...


All times are GMT -5. The time now is 11:55 PM.