Note that this document is under development. Also, I don't try to explain the [[OpenAFS]] specific parts of the install -- This document describes only the changes that have to be made to create a new [[OpenAFS]] cell with [[KerberosV]] authentication. If you have followed these instructions and are still having problems please email the openafs-info mailing list.
+Derrick wrote nice pages at: <http://www.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs/afs-with-kerberos.html> <http://www.contrib.andrew.cmu.edu/~shadow/afs/afs-with-kerberos.html>
+
## <a name="Basics"></a> Basics
To continue, you need a working Kerberos realm. See [[SettingUpAuthentication]] for the implementation options, and refer to the documentation that comes with your particular version of Kerberos to establish your realm. It is easiest if your realm name is the caps version of your cell name, which in turn is the same as your site's domain name. For example if your site's domain is 'greekmythology.com', your Kerberos realm name should be 'GREEKMYTHOLOGY.COM' and your AFS cell name should be 'greekmythology.com'. See [[KerberosTerms]] if you are confused on what a "realm" is.
Things to remember about AFS [[KeyFile]]: they must contain a key using the des-cbc-crc encryption type and the key must have exactly same kvno as the afs/greekmythology.com@GREEKMYTHOLOGY.COM in the Kerberos database. If cell is same as lowercased GREEKMYTHOLOGY.COM name, you can create <afs@GREEKMYTHOLOGY.COM> instead of afs/cell@GREEKMYTHOLOGY.COM.
-[[KerberosVMIT]]:
+#### <a name="KerberosVMIT"></a> [[KerberosVMIT]]
- set up krb524d. You will need to make sure your krb524d server host includes something like this in krb5.conf. Only one of the 2 entries should be needed for a realm, depending on how you did the setup in your [[KerberosV]] database.
}
}
-[[HeimdalKTH]] from <http://www.pdc.kth.se/heimdal>:
+- use <code>**kadmin get**</code> command and <code>**ktutil copy**</code> similarly as described in section Heimdal to create afs key in a database or use for the last step instead of ktutil <code>**asetkey**</code> as below
+
+- The AFS-Kerberos5 migration kit includes a program <code>**asetkey**</code>
+
+Save the AFS key from kerberos KDC to a file, possibly using kadmin(see KTH [[KerberosIV]] section above), and the use either <code>**asetkey**</code> or use <code>**ktutil**</code> (see [[HeimdalKTH]] section below) to convert the format and save into [[KeyFile]].
+
+ asetkey add 0 /etc/srvtab.afskey afs.cell@REALM
+The \`0' above means kvno (key version number 0). Use ktutils list or similar like <code>**kadmin get**</code> command to see, what kvno has the afs key in Kerberos database. Use exactly same number when running <code>**asetkey**</code>. There's
+
+#### <a name="HeimdalKTH"></a> [[HeimdalKTH]]
+
+- <http://www.pdc.kth.se/heimdal>
- kdc will service krb524 requests
-- edit /etc/krb5.conf similar to to example below
+- edit /etc/krb5.conf similar to the example below
[logging]
default = FILE:/var/log/krb5libs.log
enable-524 = true
v4-realm = GREEKMYTHOLOGY.COM
-Someone wrote a nice pages at: <http://www.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs/afs-with-kerberos.html> <http://www.contrib.andrew.cmu.edu/~shadow/afs/afs-with-kerberos.html>
+The [[HeimdalKTH]] distribution's <code>**ktutil**</code> can copy directly into an AFS [[KeyFile]] and removes salt from keys
+
+ kadmin --admin-server=my_kdc_server
+ kadmin> add --random-key afs/cell
+ kadmin> del_enctype afs/cell@REALM des3-cbc-sha1
+ kadmin> get afs/cell@REALM
+ kadmin> list *
+ kadmin> ext -k /etc/afskeytabfile.krb5
+ kadmin> quit
+ ktutil -k /etc/afskeytabfile.krb5 list
+ ktutil copy FILE:/etc/afskeytabfile.krb5 AFSKEYFILE:/usr/afs/etc/KeyFile
+
+After you have a working [[KeyFile]] installed in the appropriate directory (/usr/afs/etc/KeyFile for transarc-paths, ???? otherwise) and with the appropriate permissions (0600, owner root), we can create administrative users for AFS. This is a two step process as we first create an authentication principal in the Kerberos database then add the admin user in the authorization ("protection") database in the AFS server.
+
+Create a user ("joe/admin" in this example) using the appropriate kadmin utility with your [[KerberosV]] distribution. Set a secure password, and note that setting Kerberos admin rights for this user does **not** affect his AFS rights. Please note, that "joe/admin@REALM" is [[KerberosV]] notation and that [[KerberosIV]] is using "joe.admin@REALM". As AFS is based on [[KerberosIV]], you should specify "joe.admin@REALM" or just "joe.admin". (I did this mistake recently and for days was hunting for an explanation, why while having valid tickets, valid AFS tokens with proper kvno (key version number as the one in Kerberos KDC) fileserver, ptserver and bosserver complain about my AFS token being invalid. Yes, I had in the /usr/(afs|vice)/etc/UserList file "joe/admin@REALM"). In [[OpenAFS]]-1.2.8, you can possibly enable Kerbero5 syntax for usernames (See [this message](https://lists.openafs.org/pipermail/openafs-devel/2002-December/003632.html) to openafs-devel)
-[[KerberosIV]], like KTH Kerberos4 from <http://www.pdc.kth.se/kth-krb> :
+#### <a name="KTH Kerberos4"></a> KTH Kerberos4
-Create afs principal entry in kerberos database:
+- <http://www.pdc.kth.se/kth-krb> :
-If you have afs key already created using "kadmin add", you had to specify password on interactively. That's quite weak password. Much better is to do <code>**kadmin get**</code>. <code>**kadmin**</code> will try to download the key from KDC, and if it's not present, it will create one, using random key. That's what we want.
+You can create afs key using "kadmin add", you had to specify password on interactively. That's quite weak password. Much better is to do <code>**kadmin get**</code>. <code>**kadmin**</code> will try to download the key from KDC, and if it's not present, it will create one, using random key. That's what we want.
ksrvutil(1) does similar and doesn't require from you to have kadmind(1) running on your machine. The "get" command does same: downloads or (in our case) creates new afs principal using random password. The next example expects that joe.admin is you and you know the proper password to get full access to you kerberos database:
If you have some tokens now, then it works and you can now shutdown kaserver. Users, which you have created under kaserver are stored in /usr/afs/db/kaserver.\*, but you can just forget them. Create these users again in Kerberos. With [[KerberosIV]] from KTH they get stored under /var/kerberos, when using Heimdal under /var/heimdal/.
-[[KerberosVMIT]]:
-
-- The AFS-Kerberos5 migration kit includes a program <code>**asetkey**</code>
-
-Save the AFS key from kerberos KDC to a file, possibly using kadmin(see KTH [[KerberosIV]] section above), and the use either <code>**asetkey**</code> or use <code>**ktutil**</code> (see [[HeimdalKTH]] section below) to convert the format and save into [[KeyFile]].
-
- asetkey add 0 /etc/srvtab.afskey afs.cell@REALM
-
-The \`0' above means kvno (key version number 0). Use ktutils list or similar like <code>**kadmin get**</code> command to see, what kvno has the afs key in Kerberos database. Use exactly same number when running <code>**asetkey**</code>. There's
-
-[[HeimdalKTH]]:
-
-- The [[HeimdalKTH]] distribution's <code>**ktutil**</code> can copy directly into an AFS [[KeyFile]]
-
- kadmin --admin-server=my_kdc_server
- kadmin> add --random-key afs/cell
- kadmin> del_enctype afs/cell@REALM des3-cbc-sha1
- kadmin> get afs/cell@REALM
- kadmin> list *
- kadmin> ext -k /etc/afskeytabfile.krb5
- kadmin> quit
- ktutil -k /etc/afskeytabfile.krb5 list
- ktutil copy FILE:/etc/afskeytabfile.krb5 AFSKEYFILE:/usr/afs/etc/KeyFile
-
-After you have a working [[KeyFile]] installed in the appropriate directory (/usr/afs/etc/KeyFile for transarc-paths, ???? otherwise) and with the appropriate permissions (0600, owner root), we can create administrative users for AFS. This is a two step process as we first create an authentication principal in the Kerberos database then add the admin user in the authorization ("protection") database in the AFS server.
-
-Create a user ("joe/admin" in this example) using the appropriate kadmin utility with your [[KerberosV]] distribution. Set a secure password, and note that setting Kerberos admin rights for this user does **not** affect his AFS rights. Please note, that "joe/admin@REALM" is [[KerberosV]] notation and that [[KerberosIV]] is using "joe.admin@REALM". As AFS is based on [[KerberosIV]], you should specify "joe.admin@REALM" or just "joe.admin". (I did this mistake recently and for days was hunting for an explanation, why while having valid tickets, valid AFS tokens with proper kvno (key version number as the one in Kerberos KDC) fileserver, ptserver and bosserver complain about my AFS token being invalid. Yes, I had in the /usr/(afs|vice)/etc/UserList file "joe/admin@REALM"). In [[OpenAFS]]-1.2.8, you can possibly enable Kerbero5 syntax for usernames (See [this message](https://lists.openafs.org/pipermail/openafs-devel/2002-December/003632.html) to openafs-devel)
+### <a name="Finishing _OpenAFS installation"></a> Finishing [[OpenAFS]] installation
-Now we will use the <code>**pts**</code> command in [[OpenAFS]] to add this joe.admin user to the AFS administrators group named system:administrators. The username could be just "joe" or "admin", but it's a good habit to have .admin appended to it (it is called instance):
+Now we will use the <code>**pts**</code> command in [[OpenAFS]] to add this joe.admin user to the AFS administrators group named system:administrators. The username could be just "joe" or "admin", but it's a good habit to have .admin appended to it (it is called instance). Please note the notation "joe.admin", not "joe/admin" as would be typical in Kerberos5 style:
pts createuser -name joe.admin -cell greekmythology.com -noauth
pts adduser joe.admin system:administrators -cell -noauth
where greekmythology.com is the name of your local cell. After your complete this step, you can continue on to...
-### <a name="Finishing _OpenAFS installation"></a> Finishing [[OpenAFS]] installation
-
-First, activate the new AFS [[KeyFile]] by executing:
+Activate the new AFS [[KeyFile]] by executing:
bos restart <machine name> -all -cell <cell name> -noauth
git://git.openafs.org / openafs-wiki.git / commitdiff