[prev in list] [next in list] [prev in thread] [next in thread]
List: netatalk
Subject: Re: [Netatalk-admins] Basic Question
From: Hiroyuki Sato <hiroysato () gmail ! com>
Date: 2010-06-15 11:07:06
Message-ID: AANLkTimkhC68UMAWNakJacxqcxFamSpCD9l2-Y3Ew89q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Patrik
Thank you for your information.
I could connect netatalk server without password on CentOS 5.5.
I used uams_gss.so
libgssapi library has problem on CentOS. so we had to avoid this problem.
Frank and me fixed this problem. (maybe.. fixed)
I can't read german but I can read your site.
(I just read title and configuration example :-) )
I'm connecting netatalk server with command-k option.
Anyway thank you so much.
--
Hiroyuki
2010/6/15 Patrik Schindler <poc@pocnet.net>
> Hi,
>
> Am 14.06.2010 um 16:01 schrieb Hiroyuki Sato:
>
>
> 1, Question.
>>
>> Basic question about Single-Sign-on
>>
>> I succeed to login with kerberos database on myhost.mydomain.com.
>> However, Finder always ask me my password.
>>
>> Configuration is the bellow.
>>
>> Can I single-sign-on with UAM of uams_dhx.so,uams_dhx2.so??
>> or I have to use uams_gssapi??
>>
>
>
> gssapi is mandatory for sso.
>
> If you enable gssapi-variables in ssh(d) local and remote, can you log in
> without password?
>
>
>
> 3, Configuration
>>
>> (1) /etc/pam.d/system-auth
>>
>
>
> Using Kerberos with pam seems no good idea to me. I don't recommend it,
> there are a bunch of side effects which aren't satisfying. I've no problem
> with manually kinit after login.
>
> Instead, see if there's a kerberized replacement for your need. Afpd is
> fully kerberized, no need for PAM.
>
>
>
> (2) /etc/netatalk/afpd.conf
>>
>> - -tcp -noddp -uamlist uams_dhx.so,uams_dhx2.so -setpassword -k5service
>> afpserver -k5keytab /etc/krb5.keytab -k5realm MYDOMAIN.COM -fqdn
>> myhost.mydomain.com:548 -setuplog "default log_maxdebug
>> /var/log/afpd.log"
>>
>
>
> In my config, I omit the :548 but I don't think this is related. Rest is
> working like expected. Ah, and I'm using Debian instead of RH.
>
> How exactly do you connect? Are you using the sidebar in a finder window
> (which is possibly utilizing avahi on the server side)? That's not working
> with kerberos out of the box, since the names are different: avahi would
> resolve to myhost.local which doesn't match service- and hostprincipal as
> well as names in afpd.conf. When I'm in the mood, I'll try to get this
> running also and document it but don't wait for that. Try using cmd-k for
> connecting in the finder and use the FQDN to connect.
>
> Watch your clock of server and client for differences > 5 minutes and be
> sure to fully understand the neccessities for setting up a client.
>
> I did an extensive documentation about kerberos in german (should be easily
> translatable by google or others) here:
> http://kb.pocnet.net/index.php/Kerberos
>
>
> :wq! PoC
>
>
[Attachment #5 (text/html)]
Hi Patrik <div><br></div><div>Thank you for your information. \
</div><div><br></div><div>I could connect netatalk server without password on CentOS \
5.5.</div><div>I used uams_gss.so</div><div><br></div><div>libgssapi library has \
problem on CentOS. so we had to avoid this problem. </div> <div>Frank and me fixed \
this problem. (maybe.. fixed)</div><div><br></div><div>I can't read german but I \
can read your site. </div><div>(I just read title and configuration example :-) \
)</div><div><br></div><div>I'm connecting netatalk server with command-k option. \
</div> <div><br></div><div>Anyway thank you so much. \
</div><div><br></div><div>--</div><div>Hiroyuki</div><div><br></div><div><br><br><div \
class="gmail_quote">2010/6/15 Patrik Schindler <span dir="ltr"><<a \
href="mailto:poc@pocnet.net">poc@pocnet.net</a>></span><br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;">Hi,<br> <br>
Am 14.06.2010 um 16:01 schrieb Hiroyuki Sato:<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> 1, Question.<br>
<br>
Basic question about Single-Sign-on<br>
<br>
I succeed to login with kerberos database on <a href="http://myhost.mydomain.com" \
target="_blank">myhost.mydomain.com</a>.<br> However, Finder always ask me my \
password.<br> <br>
Configuration is the bellow.<br>
<br>
Can I single-sign-on with UAM of uams_dhx.so,uams_dhx2.so??<br>
or I have to use uams_gssapi??<br>
</blockquote>
<br>
<br></div>
gssapi is mandatory for sso.<br>
<br>
If you enable gssapi-variables in ssh(d) local and remote, can you log in without \
password?<div class="im"><br> <br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> 3, Configuration<br>
<br>
(1) /etc/pam.d/system-auth<br>
</blockquote>
<br>
<br></div>
Using Kerberos with pam seems no good idea to me. I don't recommend it, there are \
a bunch of side effects which aren't satisfying. I've no problem with \
manually kinit after login.<br> <br>
Instead, see if there's a kerberized replacement for your need. Afpd is fully \
kerberized, no need for PAM.<div class="im"><br> <br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> (2) /etc/netatalk/afpd.conf<br>
<br>
- -tcp -noddp -uamlist uams_dhx.so,uams_dhx2.so -setpassword -k5service<br>
afpserver -k5keytab /etc/krb5.keytab -k5realm <a href="http://MYDOMAIN.COM" \
target="_blank">MYDOMAIN.COM</a> -fqdn<br> <a href="http://myhost.mydomain.com:548" \
target="_blank">myhost.mydomain.com:548</a> -setuplog "default log_maxdebug \
/var/log/afpd.log"<br> </blockquote>
<br>
<br></div>
In my config, I omit the :548 but I don't think this is related. Rest is working \
like expected. Ah, and I'm using Debian instead of RH.<br> <br>
How exactly do you connect? Are you using the sidebar in a finder window (which is \
possibly utilizing avahi on the server side)? That's not working with kerberos \
out of the box, since the names are different: avahi would resolve to myhost.local \
which doesn't match service- and hostprincipal as well as names in afpd.conf. \
When I'm in the mood, I'll try to get this running also and document it but \
don't wait for that. Try using cmd-k for connecting in the finder and use the \
FQDN to connect.<br>
<br>
Watch your clock of server and client for differences > 5 minutes and be sure to \
fully understand the neccessities for setting up a client.<br> <br>
I did an extensive documentation about kerberos in german (should be easily \
translatable by google or others) here: <a \
href="http://kb.pocnet.net/index.php/Kerberos" \
target="_blank">http://kb.pocnet.net/index.php/Kerberos</a><br>
<br>
<br>
> wq! PoC<br>
<br>
</blockquote></div><br></div>
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Netatalk-admins mailing list
Netatalk-admins@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netatalk-admins
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic