SEO

Hi.

I don't know if ever anyone is facing my problems, but I give a try
asking questions, and if noone answers, maybe my progress in
understanding can help someone else!

My situation: AIX 5.2 client --- Servers (linux) MIT K5, LDAP, OpenAFS.
No user information whatsoever on clients. Passwords are provided by
kerberos 5, user info (gecos, home directory, shell...) by ldap, home
directories reside on openafs, so somehow I have to convert the ticket
from kerberos into an afs token.

--> Now. My /lib/securiry/methods.cfg show something like:

KRB5A:
program = /lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=LDAP,auth=KRB5A

--> Of couse, I have in /etc/security/user

SYSTEM="KRB5Afiles OR compat"


--> In /etc/security/ldap/ldap.cfg

ldapservers:dir1.cell.name,dir2.cell.name
ldapadmin=cn=myadm
userattrmappath=/etc/security/ldap/2307user.map
groupattrmappath=/etc/security/ldap/2307group.map



What I'm missing is a connection with:
- OpenAFS (ticket -> token)
- SSH (passwordless and PAG)

If anyone has AIX with a similar situation, please let me know! If
you have ideas...

--
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
<icqnum:241572242>
<yahoo!:sensei_sen>
<msn-id:sensei_sen@hotmail.com>

Sensei <senseiwa@tin.it> wrote:
> Hi.
>
> I don't know if ever anyone is facing my problems, but I give a try
> asking questions, and if noone answers, maybe my progress in
> understanding can help someone else!
>
> My situation: AIX 5.2 client --- Servers (linux) MIT K5, LDAP,
> OpenAFS. No user information whatsoever on clients. Passwords are
> provided by kerberos 5, user info (gecos, home directory, shell...)
> by ldap, home directories reside on openafs, so somehow I have to
> convert the ticket from kerberos into an afs token.
> [snip]
> What I'm missing is a connection with:
> - OpenAFS (ticket -> token)
> - SSH (passwordless and PAG)
>
> If anyone has AIX with a similar situation, please let me know! If
> you have ideas...

try:
http://afs.caspur.it/afs/italia/project/ssh/
OpenSSH binary with AFS support.

I have not tested it as I need one for AIX 5.1. (Tivoli only seems to
AFS buta support for AIX 4.3 and 5.1 for some unknown and very annoying
reason.)

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin

None is authenticating over a NON-AIX KDC?
None is using LDAP to store user informations?

Don't tell me that...

--
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
<icqnum:241572242>
<yahoo!:sensei_sen>
<msn-id:sensei_sen@hotmail.com>

Christopher D. Clausen wrote:
> try:
> http://afs.caspur.it/afs/italia/project/ssh/
> OpenSSH binary with AFS support.
>
> I have not tested it as I need one for AIX 5.1. (Tivoli only seems to
> AFS buta support for AIX 4.3 and 5.1 for some unknown and very annoying
> reason.)

The big problem is that I can't login with a serial terminal using
Kerberos. So I'm not sure...

--
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
<icqnum:241572242>
<yahoo!:sensei_sen>
<msn-id:sensei_sen@hotmail.com>

I need to login from a serial console as a kerberos principal as well as
using SSH.

One bad thing is that it doesn't seem to be able to login, console or ssh.

I'd like to know what configuration you have if you can do logins from
the console, and ssh from caspur should work, if console login works.

--
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
<icqnum:241572242>
<yahoo!:sensei_sen>
<msn-id:sensei_sen@hotmail.com>