Hi

I am trying to install an openafs server (well, trying to configure
it) as a MIT kerberos 5 client (authentication in a realm other than the
cell name) on a Slackware 10.1 machine running kernel 2.4.29. Well, Slack
does not include PAM, so I installed it (under /usr/local/linux-pam)
*after* installing openafs and kerberos 5. However, I do not see
pam_krb5.so and such libraries created
in /usr/local/linux-pam/lib/security. I wish to know what I should do to
get these libraries to compile (in case they are needed).

Thanks.

Madhusudan Singh wrote:
> Hi
>
> I am trying to install an openafs server (well, trying to configure
> it) as a MIT kerberos 5 client (authentication in a realm other than the
> cell name) on a Slackware 10.1 machine running kernel 2.4.29. Well, Slack
> does not include PAM, so I installed it (under /usr/local/linux-pam)
> *after* installing openafs and kerberos 5. However, I do not see
> pam_krb5.so and such libraries created
> in /usr/local/linux-pam/lib/security. I wish to know what I should do to
> get these libraries to compile (in case they are needed).
>
> Thanks.

Shouldn't the PAM module be part of kerberos ? I think PAM includes
just the base other apps/packages use to build their own PAM libs, which
then go in /usr/local/linux-pam/lib/security ( or wherever...).

I'd think you'd want to install PAM, *then* compile kerberos so it
includes PAM support, and builds the required libs...

Just a guess though, since I've never added PAM support to Slack.

--
- Matt -

Matt Payton wrote:

> Madhusudan Singh wrote:
>> Hi
>>
>> I am trying to install an openafs server (well, trying to
>> configure
>> it) as a MIT kerberos 5 client (authentication in a realm other than the
>> cell name) on a Slackware 10.1 machine running kernel 2.4.29. Well, Slack
>> does not include PAM, so I installed it (under /usr/local/linux-pam)
>> *after* installing openafs and kerberos 5. However, I do not see
>> pam_krb5.so and such libraries created
>> in /usr/local/linux-pam/lib/security. I wish to know what I should do to
>> get these libraries to compile (in case they are needed).
>>
>> Thanks.
>
> Shouldn't the PAM module be part of kerberos ? I think PAM includes
> just the base other apps/packages use to build their own PAM libs, which
> then go in /usr/local/linux-pam/lib/security ( or wherever...).
>
> I'd think you'd want to install PAM, *then* compile kerberos so it
> includes PAM support, and builds the required libs...
>
> Just a guess though, since I've never added PAM support to Slack.
>

Thanks for your response. How do I tell kerberos installation where to find
the compiled pam modules ?

Madhusudan Singh wrote:

[...]

> Thanks for your response. How do I tell kerberos installation where to find
> the compiled pam modules ?

I would guess that you'll have to recompile kerberos to include PAM, and
as part of ./configure you'd tell it where the PAM libs are.

Again, this is just a guess...

Actually, now that I poked around on a RedHat based machine I see there
is a specific pam_krb5afs package. googling pam_krb5afs turns up quite
a few hits, so maybe that's a good place to start...

--
- Matt -

On Sun, 10 Jul 2005 12:34:47 -0400, Madhusudan Singh wrote:

> Hi
>
> I am trying to install an openafs server (well, trying to configure
> it) as a MIT kerberos 5 client (authentication in a realm other than the
> cell name) on a Slackware 10.1 machine running kernel 2.4.29. Well, Slack
> does not include PAM, so I installed it (under /usr/local/linux-pam)
> *after* installing openafs and kerberos 5. However, I do not see
> pam_krb5.so and such libraries created
> in /usr/local/linux-pam/lib/security. I wish to know what I should do to
> get these libraries to compile (in case they are needed).
>
I'm wondering if you even need PAM. I know nothing about openafs, but I'm
using Kerberos along with Samba and openldap to join a Windows Active
Directory domain.
Kerberos happily gets a ticket from the Windows Domain Controler, in
Slackware 10.1, without PAM.

Mike

----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Matt Payton wrote:

> Madhusudan Singh wrote:
>
> [...]
>
>> Thanks for your response. How do I tell kerberos installation where to
>> find the compiled pam modules ?
>
> I would guess that you'll have to recompile kerberos to include PAM, and
> as part of ./configure you'd tell it where the PAM libs are.
>
> Again, this is just a guess...
>

A guess I made before I posed my followup question. There do not seem to be
any such options in the kerberos configure script.

> Actually, now that I poked around on a RedHat based machine I see there
> is a specific pam_krb5afs package. googling pam_krb5afs turns up quite
> a few hits, so maybe that's a good place to start...
>

I found the pam_krb5 source code on sourceforge. But I cannot seem to find
pam_krb5afs. Further, the configure options for pam_krb5 seem to make
reference to existing kerberos 5 library and pam library paths :

--with-pamdir=dir Where to put pam module LIBDIR/security
--with-krb5=dir Look for Kerberos libs, headers in another
directory
--with-krb4=dir use Kerberos 4 headers and libs under dir
--with-krbafs=dir use Kerberos 5-hacked krbafs package under dir

So what should I do ? Compile kerberos first or pam_krb5 first ? And does
either give me pam_krb5afs ?

krbafs is another package entirely and does not seem to have anything to do
with pam_krb5afs (http://web.mit.edu/openafs/krbafs/).

I have been a slack user for more than a year and would gladly recommend
this to anyone anyday, but this mess with pam seems to be a serious
shortcoming to me.

Thanks for your response.

Mike Denhoff wrote:

> On Sun, 10 Jul 2005 12:34:47 -0400, Madhusudan Singh wrote:
>
>> Hi
>>
>> I am trying to install an openafs server (well, trying to
>> configure
>> it) as a MIT kerberos 5 client (authentication in a realm other than the
>> cell name) on a Slackware 10.1 machine running kernel 2.4.29. Well, Slack
>> does not include PAM, so I installed it (under /usr/local/linux-pam)
>> *after* installing openafs and kerberos 5. However, I do not see
>> pam_krb5.so and such libraries created
>> in /usr/local/linux-pam/lib/security. I wish to know what I should do to
>> get these libraries to compile (in case they are needed).
>>
> I'm wondering if you even need PAM. I know nothing about openafs, but I'm
> using Kerberos along with Samba and openldap to join a Windows Active
> Directory domain.
> Kerberos happily gets a ticket from the Windows Domain Controler, in
> Slackware 10.1, without PAM.
>
> Mike
>

That would indeed be the ideal situation. But how do I authenticate users
against the kerberos realm on the client by forwarding the authentication
requests without pam ? Further, is there a way to create a kerberos
graylist (i.e., only those users that are in that list will be sought to be
authenticated while the rest rejected summarily) ?

A reference to a Howto would be nice.

On Sun, 10 Jul 2005 21:35:05 -0400, Madhusudan Singh wrote:
> Matt Payton wrote:
>> Madhusudan Singh wrote:

>> I would guess that you'll have to recompile kerberos to include PAM,
>> and as part of ./configure you'd tell it where the PAM libs are.

You don't, it's the other way around: compile Kerberos first, then
anything that needs its libs - against them.

>> Actually, now that I poked around on a RedHat based machine I see there
>> is a specific pam_krb5afs package. googling pam_krb5afs turns up quite
>> a few hits, so maybe that's a good place to start...

It's part of the pam_krb5 tarball.

> I found the pam_krb5 source code on sourceforge. But I cannot seem to
> find pam_krb5afs.

Look at the README ... The makefile creates it if the AFS lib is forund.

> Further, the configure options for pam_krb5 seem to
> make reference to existing kerberos 5 library and pam library paths :
[ ... ]
> So what should I do ? Compile kerberos first

Yes.

> or pam_krb5 first ? And does either give me pam_krb5afs ?

It should (the Kerberos first one.)

> krbafs is another package entirely and does not seem to have anything to
> do with pam_krb5afs (http://web.mit.edu/openafs/krbafs/).

I've never used AFS but, from what i gather, the latest OpenAFS supports
Krb5. I know Heimdal Kerberos should be able to work with that (it has a
build-time flag for it), and AFAICT you wount need anything besides those
then.

> I have been a slack user for more than a year and would gladly recommend
> this to anyone anyday, but this mess with pam seems to be a serious
> shortcoming to me.

Well it whould be nice if like a libnss_krb5 or libnss_gss exist(ed) ...
One is very unlikely to _need_ PAM for this now, but stuff /does/ need to
be recompiled (or replacements used) which maybe annoying.

> Thanks for your response.

With MIT Kerberos some people had problems with multi-threading, now
idunno if that is still the case, but Heimdal has worked fine here. You
may want to try that, and: read "info heimdal" after install (which is a
good read, even if you stick with MIT - or the Shishi implementation.)
ftp://ftp.pdc.kth.se/pub/heimdal/src/

heimdal.Slackbuild :

#!/bin/sh

NAME=heimdal
VERSION=0.7
ARCH=i486
BUILD=1

CPU=i686

if [ "$TMP" == "" ]; then
TMP=/tmp
fi
if [ ! -d $TMP ]; then
mkdir -p $TMP
fi

if [ "$CPU" = "i686" ]; then
SLKCFLAGS="-O2 -march=$ARCH -mcpu=$CPU"
else
SLKCFLAGS="-O2"
fi

CWD=`pwd`
PKG=$TMP/package-$NAME
rm -rf $PKG
mkdir -p $PKG

cd $TMP
tar xzvf $CWD/$NAME-$VERSION.tar.gz

cd $NAME-$VERSION

# Set basic permissions
find . -type f -print0 | xargs -0 chmod go-w
find . -type d -print0 | xargs -0 chmod 0755
chown -R root:root .
chmod -R -s .

# Lets build this already
CFLAGS="$SLKCFLAGS" \
../configure \
--enable-shared=yes \
--without-krb4 \
--without-hesiod \
--without-ipv6 \
--without-openldap \
--with-x
make
make install DESTDIR=$PKG

# Strip symbols off of binaries
strip $PKG/usr/heimdal/bin/*
strip $PKG/usr/heimdal/sbin/*
strip --strip-unneeded $PKG/usr/heimdal/lib/*
strip --strip-unneeded $PKG/usr/heimdal/libexec/*

# Set the binaries in bin directorys to group bin
chgrp -R bin $PKG/usr/heimdal/bin
chgrp -R bin $PKG/usr/heimdal/sbin

# Database dir
mkdir -p $PKG/var/heimdal

# Set PATH and MANPATH
mkdir -p $PKG/etc/profile.d
cat << END > $PKG/etc/profile.d/heimdal.sh
#!/bin/sh

export INFOPATH="/usr/heimdal/info:"
MANPATH="\$MANPATH:/usr/heimdal/man"
PATH="\$PATH:/usr/heimdal/bin"
if [ x"\$EUID" == x"0" ]; then
PATH="\$PATH:/usr/heimdal/sbin"
fi
END
chmod +x $PKG/etc/profile.d/heimdal.sh

# Include a KDC rc-file for the admin to consider
mkdir -p $PKG/etc/rc.d
cat << END > $PKG/etc/rc.d/rc.heimdal
#!/bin/sh

heimdal_start() {
if [ -r /var/heimdal/kdc.conf -a -x /usr/heimdal/libexec/kdc ]; then
echo "Starting the Kerberos service: /usr/heimdal/libexec/kdc --detach"
/usr/heimdal/libexec/kdc --detach
fi
}

heimdal_stop() {
killall kdc
}

heimdal_restart() {
heimdal_stop
sleep 1
heimdal_start
}

case "\$1" in
'start')
heimdal_start
;;
'stop')
heimdal_stop
;;
'restart')
heimdal_restart
;;
*)
echo "Usage: \$0 start|stop|restart"
esac
END
chmod +x $PKG/etc/rc.d/rc.heimdal

#
# Documentation :
#
mkdir -p $PKG/usr/doc/$NAME-$VERSION
cp -a NEWS README TODO* config.log \
$PKG/usr/doc/$NAME-$VERSION
mkdir -p $PKG/usr/doc/$NAME-$VERSION/ChangeLog
cp -a ChangeLog* $PKG/usr/doc/$NAME-$VERSION/ChangeLog
mkdir -p $PKG/usr/doc/$NAME-$VERSION/etc
cp -a etc/services.append \
$PKG/usr/doc/$NAME-$VERSION/etc
mkdir -p $PKG/usr/doc/$NAME-$VERSION/doc
cp -a doc/{init-creds,layman.asc,mdate-sh} \
$PKG/usr/doc/$NAME-$VERSION/doc
mkdir -p $PKG/usr/doc/$NAME-$VERSION/doc/standardisation
cp -a doc/standardisation/* \
$PKG/usr/doc/$NAME-$VERSION/doc/standardisation

mkdir -p $PKG/etc
cp krb5.conf $PKG/etc/krb5.conf.new

# Compress manual pages
( for dir in `find $PKG/usr -type d -name 'man?' -print`; do
cd $dir && \
gzip -9 *
done
)

# Compress info pages
( cd $PKG/usr/heimdal/info
find . -type f \! -name dir -exec gzip -9 {} \;
# Link the main compressed info page to a name as if it was clear
# as otherwise the GNU info utility somehow fails to render it...
ln -s heimdal.info.gz heimdal
)

mkdir $PKG/install

# Things todo on target machine after install
cat << END > $PKG/install/doinst.sh
if ! grep '^/usr/heimdal/lib$' /etc/ld.so.conf ; then
echo "/usr/heimdal/lib" >> /etc/ld.so.conf
/sbin/ldconfig
fi
END

# Add package description
cat $CWD/slack-desc > $PKG/install/slack-desc

# Create a package out of this
cd $PKG
makepkg -l y -c n ../$NAME-$VERSION-$ARCH-$BUILD.tgz

# Clean up the extra stuff:
if [ "$1" = "--cleanup" ]; then
rm -rf $TMP/$NAME-$VERSION
rm -rf $PKG
fi

--
-Menno.

On Sun, 10 Jul 2005 21:38:39 -0400, Madhusudan Singh wrote:
> Mike Denhoff wrote:

>> I'm wondering if you even need PAM.

I wouldn't think so.

>> I know nothing about openafs,

Neither do i.

>> but I'm using Kerberos along with Samba and openldap to join a Windows
>> Active Directory domain.

Do you really need openldap here?

(I have used winbind without that before (on Fedora though), only thing is
Linux account names needed to correspond with AD principal names, so we
had two places for storing them - which could be a problem in large LANs.)

>> Kerberos happily gets a ticket from the Windows Domain Controler, in
>> Slackware 10.1, without PAM.

> That would indeed be the ideal situation. But how do I authenticate
> users against the kerberos realm on the client by forwarding the
> authentication requests without pam ?

Probably run a KDC locally (which forwards requests). For the login
service, change your client inittab to spawn a Kerberized version, with
Heimdal that'd be:

c6:12345:respawn:/sbin/agetty 38400 tty6 linux -l /usr/heimdal/bin/login

Don't forget to create $HOME/.k5login for users.

> Further, is there a way to create a kerberos graylist (i.e., only those
> users that are in that list will be sought to be authenticated

If principals don't have a coresponding account on the host (or in
NIS/LDAP/whatever) login don't work, "kinit" for that principal from
another account still works. But perhaps i don't understand your question?

> while the rest rejected summarily) ?

The /etc/passwd file can be used for authorization as normal (hence set a
users shell to /bin/false to dissallow login access.) In /etc/shadow you
can set the accounts password field to !! to make sure all sessions are
Kerberos autenticated (otherwise users maybe able to use thier shadow pw.)

> A reference to a Howto would be nice.

Administation of a service is generally described in-depth within the man
and/or info pages of that service.

HTH.

--
-Menno.