blog/shl@INTERDOSE

With sur5r’s dkms-hint, let’s write this article again:

The installation of the client on modern Linux distributions is pretty straight forward.

1. get the packages
2. compile the kernel module
3. mess around in some config files

First step: get the packages
sudo apt-get install
openafs-client openafs-doc openafs-modules-dkms openafs-krb5 krb5-clients krb5-config krb5-user krb5-doc
(Yes, we’ll install the -doc-Packages, because everyone likes documentation)

Last step: the config files
Open /etc/krb5.conf and edit the sections containing the following:

1
2
3
4
5
6
7
8
9
10
11
12

[libdefaults]
        default_realm = MYCELL.NET
[realms]
        MYCELL.NET = {
                kdc = kdc1.mycell.net
                kdc = kdc2.mycell.net
                admin_server = kdc1.mycell.net
                default_domain = mycell.net
        }
[domain_realm]
        .mycell.net = MYCELL.NET
        mycell.net = MYCELL.NET

You should translate mycell.net to your local cell settings, but you already knew that, right? Ask your AFS Admin, if you are not sure about the correct values.

You may also take a look at /etc/openafs/afs.conf.client, /etc/openafs/ThisCell and /etc/openafs/CellServDB, but in most cases there’s no need to change something within these three files. If you need to get an updated version of /etc/openafs/CellServDB, just get it via FTP from grand.central.org.
wget -O /etc/openafs/CellServDB
ftp://ftp.central.org/pub/cellservdb/CellServDB

The very last step: restart the client
sudo /etc/init.d/openafs-client restart
Now the magic happens. The missing kernel module will be compiled in time and the OpenAFS-Client gets started. The benefit: remember updating your kernel and updating every single module again and again? dkms will help you, that you only need to update the kernel – the modules will be upgraded automagicly.

You’re done! kinit and aklog will be your best friends from now on!

Kerberos, Linux, OpenAFS

After installing my favourite window manager, next thing I’ll need is the OpenAFS-Client.

The installation of the client on modern Linux distributions is pretty straight forward.

1. get the packages
2. compile the kernel module
3. mess around in some config files

First step: get the packages
sudo apt-get install
openafs-client openafs-doc openafs-modules-source openafs-krb5 krb5-clients krb5-config krb5-user krb5-doc
(Yes, we’ll install the -doc-Packages, because everyone likes documentation)

Next step: build the kernel module
Maybe you’ll need some more packages for this step:
sudo apt-get install module-assistant build-essential
Now start the module assistant, to build the openafs-module.
sudo module-assistant

The first entries “UPDATE” and “PREPARE” could take a few minutes, because eventually missing packages (e.g. kernel sources or headers, or the compiler-chain) will be installed. “SELECT” will open the next window, where you should search the module and select it.

Now build the module. The next question will be “would you like to install the build module?”, but you should now have a guess what to do
You should now exit the module assistant.

Last step: the config files
Open /etc/krb5.conf and edit the sections containing the following:

1
2
3
4
5
6
7
8
9
10
11
12

[libdefaults]
        default_realm = MYCELL.NET
[realms]
        MYCELL.NET = {
                kdc = kdc1.mycell.net
                kdc = kdc2.mycell.net
                admin_server = kdc1.mycell.net
                default_domain = mycell.net
        }
[domain_realm]
        .mycell.net = MYCELL.NET
        mycell.net = MYCELL.NET

You should translate mycell.net to your local cell settings, but you already knew that, right? Ask your AFS Admin, if you are not sure about the correct values.

You may also take a look at /etc/openafs/afs.conf.client, /etc/openafs/ThisCell and /etc/openafs/CellServDB, but in most cases there’s no need to change something within these three files. If you need to get an updated version of /etc/openafs/CellServDB, just get it via FTP from grand.central.org.
wget -O /etc/openafs/CellServDB
ftp://ftp.central.org/pub/cellservdb/CellServDB

The very last step: restart the client
sudo /etc/init.d/openafs-client restart
Stopping AFS services:.
Starting AFS services: openafs afsd.
afsd: All AFS daemons started.

You’re done! kinit and aklog will be your best friends from now on!

Kerberos, Linux, OpenAFS

This dialogue provides a fictitious account of the design of an open-network authentication system called “Charon”. As the dialogue progresses, the characters Athena and Euripides discover the problems of security inherent in an open network environment. Each problem must be addressed in the design of Charon, and the design evolves accordingly. Athena and Euripides don’t complete their work until the dialogue’s close.

Auch wenn dieser Text schon durchaus etwas älter ist, und ich schon (zu) oft darauf verwiesen habe – es lohnt sich immer wieder.

Und was lernen wir daraus? Auch IT-Menschen haben Humor.

Kerberos

Nachdem mein OpenSolaris-Talk gestern ein Erfolg war (ich habe danach ein paar LiveCDs verteilen können, und das sehe ich bereits als Erfolg), werde ich mich heute wieder hinter dem Rednerpult verstecken.

Mein Thema für heute: Kerberos Security.

Passwörter haben einen großen Nachteil – man verliert zu einfach den Überblick. Ein möglicher Ansatzpunkt für diese Problematik ist der Einsatz von Kerberos, zur Authentifizierung und zur Authorisierung von Benutzern sowie ein verteiltes Benutzer-Management für angebotene Dienste.
Am Beispiel der UUGRN-Infrastruktur wird ein fiktives Kerberos-Setup im Zusammenspiel mit OpenLDAP aufgezeigt, welche Möglichkeiten sich damit bieten, welche Risiken und welche Stolperfallen existieren, und wieviel sowie welchen Aufwand eine Implementierung bedeutet.
Eine Einführung in die Terminologie sowie die Grundlagen von Kerberos sorgt dafür, daß Zuhörer jedes Wissensstands willkommen sind.

Interesse? Auf zum 0×0A nach Schwetzingen. Mein Time-Slot beginnt um 18:00h.

Kerberos

I am pleased to announce that version 1.00 of mod_waklog is now available to download.

mod_waklog is an Apache module that provides aklog-like semantics for the web. mod_waklog will acquire (and store in the kernel) an AFS credential when a connection is opened, use the credential for the duration of the connection, and will remove the credential when the connection is closed.

This release adds support for Apache2, a shared token cache, per-<Location> principals, and many other improvements.

Please note that the names of some of the configuration directives have changed in this release. See the README for the new names.

[Quelle: Adam via openafs-annouce]

Unter mod_waklog muß man sich das Backend hinter Filedrawers vorstellen, also die Schnittstelle zwischen dem Apache und dem Kerberos-Realm.

mod_waklog is developed in C. mod_waklog acquires AFS credentials of the logged in user and allows Apache to run as that user.

[Quelle: modwaklog.org]

Kerberos, OpenAFS

Last year the former German AFS workshop turned into an European event. It got organized outside Germany in Graz, Austria. This year the meeting is hosted in Rome, Italy, and we would like to encourage participation from more than the German speaking countries.

… und wer würde nicht gerne mal nach Rom?

The workshop is mainly a platform for system administrators to exchange their knowledge and report use cases. Topics of interest include related technologies like Kerberos or LDAP and all supported operating systems.

Das Datum: 28. – 30. September 2009

Mehr Infos? Hier und hier.

Kerberos, LDAP, OpenAFS

Auch der zweite Tag hat sich voll und ganz gelohnt.

Um zwei Beispiele zu nennen:

• OpenAFS in zones of ZFS von Mathias Feiler
• Filedrawers von Simon Wilkinson

Ein lustiges Event war das live-Debugging:

Und dank des wifi-Netzwerks im “eckhaus” und der Hilfe von Simon, hat Interdose jetzt ein funktionierendes Filedrawers-Setup. Thanks again, Simon!

Wer an den Slides der Vorträge und Site-Reports interessiert ist, wird in der Agenda auf openafs.at fündig.

Kerberos, LDAP, OpenAFS