Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
I've successfully installed & configured the openafs client. By running
klog.afs -principal "username"
and giving my password, I get afs access rights to my folder at the university. I'd like to have this happening automatically after login (I mean login on my local machine). Is there any way to script this? (putting a script in /etc/init.d for example?). I tried running an expect script to issue the klog.afs command, but when putting it in /etc/init.d/, it doesn't seem to work (access to my afs folder denied).
I'm confused as to how kerberos tokens relate to local users. If a script in /etc/init.d gets a kerberos token, is the token bound to the root on my machine, or is it also valid for my uid?
I'm guessing you're using wireless, right? In this case, the wireless connection is made once you have logged in. What you possibly can do is add your startup script to the login scripts, after the 'iwconfig' script.
Ok, I've tried reading up on this, and I don't have an AFS server to test on, but I do know that it is possible to configure PAM modules for kerberos: /etc/krb5.conf is the starting point. Are your user name and password for AFS the same as your local machine? It may be possible to automatically mount the AFS server using a PAM module.
Definitely you need to look at doing what is described here: http://help.unc.edu/6370 adjusting for your own local parameters.
PAM seems to be the way to go, if I want to access my system + afs with a single login. But it's quite a complicated procedure, and it seems that doing things with my level of understanding, could cause some complications (notably me being unable to login again if I screw up the settings...). I'm going to have to postpone this until I have the time to study it more carefully. (If I want to, I don't necessarily want to become a professional unix sysadmin Seems this afs is not really meant for the casual home user anymore )
Well, an easy way to ensure that you don't lock yourself out, is create another user on your system with sudo rights, that is, add that new user to the admin group. That way, you can play with your main account, and you have a backdoor to reset things if it all goes wrong. PAM is not that difficult to setup, the problem is testing the setup.
Yes, after reading some things about PAM, I'm also feeling less intimidated .
If I get this right, adding only entries with control "sufficient" or "optional", could also never have the effect of locking me out, right? I suppose adding the wrong entries as "sufficient" could render my system vulnerable to attackers,but security is not really an issue at the moment (I'm mostly playing around with the configs anyway).
Ok, its actually pretty easy once you ignore the warnings the like of "you'll lose access to your system if you screw this up!!!" For future reference, I'll give a brief account here.
There are more than a couple of things I don't understand or I'm not sure of, so if you have comments and corrections, please speak up!
apart from the usual (openafs client, kerberos-stuff I already forgot), you need the PAMs pam_krb5 and pam_openafs_session (available on debian and ubuntu as libpam_krb5 and libpam_openafs_session, respectively).
With those PAMs installed, you need to modify the right files in /etc/pam.d . I practically always use KDE and therefore only modified /etc/pam.d/kdm (remark/question: I think this also guarantees that, if I screwed up, I could still use normal login, i.e. through a terminal, and undo the damage??). I think gnome users should modify some file called "/etc/pam.d/gdm" etc?
Anyway, you add some lines to kdm which basically call pam_krb5 and make it obtain a kerberos ticket at login (by encoding the password you type at login and sending it to the kerberos host. Your local password therefore needs to be the same as your password at the kerberos service!) and manage it until the end of your session, as well as a line which calls pam_openafs_session, which gets an afs token from your kerberos ticket.
where only the lines containing pam_krb5.so and pam_openafs_session.so were added. The thing with minimum_uid serves to guarantee that user nr. 1000 as well as root stay unaffected (is this correct?), in case something goes wrong.
make sure your /etc/krb5.conf configuration file is correct (set your default_realm)), you can check this first by observing that the terminal commands kinit and aklog don't return errors.
your local password needs to be the same as the password of the afs account you want to login to (I believe? But what about username?)
You're making good progress, sounds great. I'm not exactly sure how AFS works as an implementation, but I imagine that the username / password combo would need to be the same as that on your default kerberos realm. I'm really not certain. It is the golden prize in computing at the moment to develop a Single Sign On system, that will mean you would only need to sign on once at the start of a session, and all the services you use are tied to that Single Sign On. The security aspect is a nightmare, but for convenience? Fantastic!
Yes, right now, it works as I wanted it to, though I had to create a new user on my local machine with the same username as I have on the remote machine. I believe there are some krb5.conf options you can set to translate local usernames to remote usernames for this purpose, but I don't quite understand them yet. And anyway, it's time for me to get some actual work done instead of playing with the configuration .