LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-03-2009, 05:51 AM   #1
OkoSanto
LQ Newbie
 
Registered: May 2009
Distribution: Kubuntu 9.04
Posts: 10

Rep: Reputation: 0
obtain Kerberos afs ticket automatically at login


Hi,

I've successfully installed & configured the openafs client. By running
Code:
klog.afs -principal "username"
and giving my password, I get afs access rights to my folder at the university. I'd like to have this happening automatically after login (I mean login on my local machine). Is there any way to script this? (putting a script in /etc/init.d for example?). I tried running an expect script to issue the klog.afs command, but when putting it in /etc/init.d/, it doesn't seem to work (access to my afs folder denied).

I'm confused as to how kerberos tokens relate to local users. If a script in /etc/init.d gets a kerberos token, is the token bound to the root on my machine, or is it also valid for my uid?
 
Old 06-03-2009, 06:34 AM   #2
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
I'm guessing you're using wireless, right? In this case, the wireless connection is made once you have logged in. What you possibly can do is add your startup script to the login scripts, after the 'iwconfig' script.
 
Old 06-03-2009, 07:34 AM   #3
OkoSanto
LQ Newbie
 
Registered: May 2009
Distribution: Kubuntu 9.04
Posts: 10

Original Poster
Rep: Reputation: 0
No, I'm using an ethernet connection on this machine, so I should be connected rightaway.

Can you give some more hints? At this point, I don't even know what a script that accomplishes this should look like... Before I had the following expect script
Code:
spawn su <local username>                       
spawn klog.afs -principal <remote username>    
expect "Password:*"                   
send -- "<password>\r"                  
expect eof
which I called from a script in /etc/init.d, i.e.
Code:
#!/bin/bash
expect klogscript
This procedure didn't work, but calling the expect script manually after startup, did grant me access to afs
 
Old 06-03-2009, 06:39 PM   #4
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Ok, I've tried reading up on this, and I don't have an AFS server to test on, but I do know that it is possible to configure PAM modules for kerberos: /etc/krb5.conf is the starting point. Are your user name and password for AFS the same as your local machine? It may be possible to automatically mount the AFS server using a PAM module.

Definitely you need to look at doing what is described here: http://help.unc.edu/6370 adjusting for your own local parameters.
 
Old 06-04-2009, 08:06 AM   #5
OkoSanto
LQ Newbie
 
Registered: May 2009
Distribution: Kubuntu 9.04
Posts: 10

Original Poster
Rep: Reputation: 0
PAM seems to be the way to go, if I want to access my system + afs with a single login. But it's quite a complicated procedure, and it seems that doing things with my level of understanding, could cause some complications (notably me being unable to login again if I screw up the settings...). I'm going to have to postpone this until I have the time to study it more carefully. (If I want to, I don't necessarily want to become a professional unix sysadmin Seems this afs is not really meant for the casual home user anymore )
 
Old 06-04-2009, 05:34 PM   #6
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Well, an easy way to ensure that you don't lock yourself out, is create another user on your system with sudo rights, that is, add that new user to the admin group. That way, you can play with your main account, and you have a backdoor to reset things if it all goes wrong. PAM is not that difficult to setup, the problem is testing the setup.

Take a look at this link, this guy seems to have gone through similar things to you: http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
 
Old 06-05-2009, 07:18 AM   #7
OkoSanto
LQ Newbie
 
Registered: May 2009
Distribution: Kubuntu 9.04
Posts: 10

Original Poster
Rep: Reputation: 0
Yes, after reading some things about PAM, I'm also feeling less intimidated .

If I get this right, adding only entries with control "sufficient" or "optional", could also never have the effect of locking me out, right? I suppose adding the wrong entries as "sufficient" could render my system vulnerable to attackers,but security is not really an issue at the moment (I'm mostly playing around with the configs anyway).
 
Old 06-05-2009, 08:13 AM   #8
OkoSanto
LQ Newbie
 
Registered: May 2009
Distribution: Kubuntu 9.04
Posts: 10

Original Poster
Rep: Reputation: 0
Ok, its actually pretty easy once you ignore the warnings the like of "you'll lose access to your system if you screw this up!!!" For future reference, I'll give a brief account here.

There are more than a couple of things I don't understand or I'm not sure of, so if you have comments and corrections, please speak up!

apart from the usual (openafs client, kerberos-stuff I already forgot), you need the PAMs pam_krb5 and pam_openafs_session (available on debian and ubuntu as libpam_krb5 and libpam_openafs_session, respectively).

With those PAMs installed, you need to modify the right files in /etc/pam.d . I practically always use KDE and therefore only modified /etc/pam.d/kdm (remark/question: I think this also guarantees that, if I screwed up, I could still use normal login, i.e. through a terminal, and undo the damage??). I think gnome users should modify some file called "/etc/pam.d/gdm" etc?

Anyway, you add some lines to kdm which basically call pam_krb5 and make it obtain a kerberos ticket at login (by encoding the password you type at login and sending it to the kerberos host. Your local password therefore needs to be the same as your password at the kerberos service!) and manage it until the end of your session, as well as a line which calls pam_openafs_session, which gets an afs token from your kerberos ticket.

My /etc/pam.d/kdm therefore looks like this:
Code:
auth    sufficient      pam_krb5.so minimum_uid=1001
auth    optional        pam_openafs_session.so program=/usr/bin/aklog
auth       required     pam_nologin.so
auth       required     pam_env.so readenv=1
auth       required     pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
session    required     pam_limits.so

account sufficient      pam_krb5.so minimum_uid=1001
@include common-account

password sufficient     pam_krb5.so ignore_root debug minimum_uid=1001
@include common-password

session optional pam_krb5.so ignore_root debug minimum_uid=1001
session optional pam_openafs_session.so program=/usr/bin/aklog
@include common-session
where only the lines containing pam_krb5.so and pam_openafs_session.so were added. The thing with minimum_uid serves to guarantee that user nr. 1000 as well as root stay unaffected (is this correct?), in case something goes wrong.

Important bits:
  • make sure your /etc/krb5.conf configuration file is correct (set your default_realm)), you can check this first by observing that the terminal commands kinit and aklog don't return errors.
  • your local password needs to be the same as the password of the afs account you want to login to (I believe? But what about username?)

Some links:
http://www.alittletooquiet.net/text/kerberos-on-ubuntu/(example pam_krb5 setup) (a hint from irishbitte)
http://en.gentoo-wiki.com/wiki/OpenA...h_MIT_Kerberos(the most detailed guide I could find, actually explaining all of the above)
http://www.scl.ameslab.gov/scl_user_info/debian.html(openafs setup)
http://web.mit.edu/AFS/sipb/project/.../README.Debian(openafs and Debian and therefore prob. Ubuntu, too)
http://content.hccfl.edu/pollock/AUnix2/PAM-Help.htm(a good page explaining some the concepts and workings of PAMs)

Last edited by OkoSanto; 06-05-2009 at 12:11 PM. Reason: small correction...
 
Old 06-05-2009, 02:40 PM   #9
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
You're making good progress, sounds great. I'm not exactly sure how AFS works as an implementation, but I imagine that the username / password combo would need to be the same as that on your default kerberos realm. I'm really not certain. It is the golden prize in computing at the moment to develop a Single Sign On system, that will mean you would only need to sign on once at the start of a session, and all the services you use are tied to that Single Sign On. The security aspect is a nightmare, but for convenience? Fantastic!
 
Old 06-06-2009, 04:51 AM   #10
OkoSanto
LQ Newbie
 
Registered: May 2009
Distribution: Kubuntu 9.04
Posts: 10

Original Poster
Rep: Reputation: 0
Yes, right now, it works as I wanted it to, though I had to create a new user on my local machine with the same username as I have on the remote machine. I believe there are some krb5.conf options you can set to translate local usernames to remote usernames for this purpose, but I don't quite understand them yet. And anyway, it's time for me to get some actual work done instead of playing with the configuration .

to be continued, I guess...
 
  


Reply

Tags
authentication, kerberos, login, pam, pamkrb5, remote login


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mount smbfs with cifs. using kerberos ticket permalac Linux - Desktop 0 12-24-2008 06:17 AM
pam_krb5 won't retrieve a kerberos ticket Thakowbbery Conectiva 1 01-10-2007 05:20 AM
Mounting network shares using kerberos ticket dlbuhl Linux - Networking 0 12-19-2006 10:53 AM
Samba Kerberos Ticket sindri Linux - Software 0 11-24-2004 01:10 AM


All times are GMT -5. The time now is 06:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration