darkness

I think I’ve got Kerberos pretty well set up. Followed the instructions in the RH reference guide pretty much exactly. Even have a RH 7.2 box that’s able to kinit. I can’t think of any real snags I hit during the process of setting up the client or the server.

One apparent disappointment is that if I kinit, ssh doesn’t magically use this token to authenticate me, apparently. I still have to enter a password. I used authconfig on the Kerberos server (which is also the server I’m trying to SSH to — is this a problem?) to turn off LDAP and turn on Kerberos. (I have a diff like I did against /etc for LDAP, but I have to clean it up. Maybe I’ll post it tomorrow.) It seems, though, that pam_krb5 just bounces your password against the Kerberos server to see if it sticks, somehow. I guess this makes sense in the end: the client has to have the support to pass along a ticket to the service. Another interesting note: the SSH client that ships in RH 7.2, at least, has no mention of the word “Kerberos” in it, or so strings `which ssh` | grep -i kerberos reports at least. Additionally, ssh -o 'KerberosAuthentication yes' doesn’t work. I need to check the OpenSSH sources and see what kind of Kerberos support it has. I guess if it passes some sort of AFS tickets I’ll be happy enough. I found a few things on Google that kind of indicate that, at the very least, I’ll have to apply some patches to OpenSSH to get some Kerberos authentication support — and then I lose PAM authentication support, supposedly. This is entirely unconfirmed. Look, fuck you! I need to sleep some time. I’ll check it out tomorrow perhaps. Though I should really get RT working, probably.

In other news, I installed YAPS on my Palm to keep some passwords in. With these Kerberos passwords that I just made up, I decided I needed somewhere to keep them. YAPS supposedly uses Blowfish, the author supposedly built it for his own needs, and it seems to work well enough. Maybe I should strings the files that Backup Buddy transfers and see if I have any password lying about.

Today I decided that I should find a way to do centralized directory services and shared file systems. I decided that my Windows boxes need to get access to this easily as do my Linux boxes. After some searching around, I suspect I’m going to end up with LDAP+Kerberos V+OpenAFS.

A brief discussion of what I’ve considered and discarded. I feel funny about mounting things via Samba from other Unix boxen. I also don’t know of a good way to have my Samba server acting as, say, a PDC authenticate against, say, an LDAP database. Samba can’t be an AD master server or whatever they’re called. (BTW, apparently MS’ AD LDAP server has some weird shit, like generated values for some keys. Very strange.) NFS is OK, but I don’t think that’d allow me the control I want in Windows.

So far I appear to have directory services in LDAP. Try reading something like the Red Hat manual on authenticating against OpenLDAP. This is pretty much correct. Note that RH8′s /etc/services borks up the migration scripts that come with nss_ldap or whatever. I recommend something like this for running migrate_all_online.sh:

perl -ne 'next if (/^s*#/);s/s+/ /g;s/s*#.*//;$_.="n";print' 
         /etc/services | sort | uniq > /tmp/services
ETC_SERVICES=/tmp/services ./migrate_all_online.sh

Even then I had some problems because there were apparently three echo service entries. I think I just deleted the one for the ddp protocol (what’s DDP again?) and it worked.

To graphically edit stuff I dug up GQ. Don’t use 0.6.0, since it appears to have problems binding correctly. (As in, I couldn’t modify anything when I was supposed to have bound to my rootdn.) I used 0.7.0 beta 2 instead, which I got from GQ’s SourceForge.net project page. You need the GQ language pack 0.7.0beta2-0 or something, too. Note that GQ has a spec file in it; I never managed to make rpmbuild -ta gq*.tar.gz work. Also, to build GQ 0.7.0 beta 2 in RH8, I suggest modifying the %build section to read as:

%build
./configure --with-included-gettext --prefix=%{prefix}
aclocal
automake --add-missing
make

IIRC the aclocal and automake --add-missing above were required to make some depmod script/program/link/whatever that it’ll look for. If you get some error about a missing ./depmod or something like that, try the above. (Can you tell how familiar I am with the auto* tools?)

I used RH’s authconfig to set up LDAP directory services and authentication. It appears to have worked. I did a diff -urN on a version of the directory before and after the authconfig. To see what changed check out my /etc LDAP changes patch.

Next: Kerberos V. Stay tuned.