Compiling arla on OSX 10.1

Thomas Jordan jordant at fnal.gov
Thu Oct 18 23:11:39 CEST 2001 

I have removed all of the files in /usr/athena and traded e-mails with 
folks here. The short story is that I have Arla working on OSX 10.1 
_without_ KfM.

My install is:
10.1
Arla from the 0.35.6 .pkg
using NetInfo manager to make my UID on the local system the same as the 
UID in my AFS space (and chowning all local files)
authenticating with /usr/arla/kalog (providing my AFS _not_ krb5 
password)

While I have tried kalog before, I always provided my krb5 password. 
This time, I tried my AFS password and I can edit files in my AFS space 
from the CLI or GUI. When successful, kalog place a file in /tmp called 
tkt8998 (8998 = my UID as above). Removing this file makes it impossible 
to edit files in my AFS space.

I can do this with KfM tickets or without them.

So kalog must look at my /usr/arla/etc/ThisCell (1 line: fnal.gov), send 
my AFS login information, receive authentication and tell Arla that I 
can edit files in AFS.

So my questions are:
What is kalog and is it passing my AFS credential in clear text?
Is there a way that we can kludge kalog to look at the KfM credentials?
Does this only work for me in my hybrid krb5/krb4 environment? (krb5 for 
one-time authorization for ssh and ftp and krb4 for afs)
Where does KfM write its credentials? not in /tmp
Is anyone else as excited as I am?

I am going to write this up more formally and post the URL back to this 
list. Please let me know what you find ,or answer any questions that you 
can.

tom


On Thursday, October 18, 2001, at 10:22 AM, Thomas Jordan wrote:

> I'm trying to summarize my findings of the last few days as well as 
> summarize some of the traffic here in same time span. Please jump in 
> and correct me...
>
> Our site uses krb5 for authentication (ftp and ssh) and one must run an 
> aklog to receive afs tokens. This suggest to me that the afs server is 
> seeking krb4 tickets/tokens. If the aklog (/usr/arla/bin/aklog) in the 
> OSX 10.1 .pkg build is built with the config parameters below, then it 
> will be looking for kerberos (krb4) tickets somewhere in /usr/athena/. 
> If I have used KfM to obtain my tickets then the aklog in the build 
> will not work.
>
> So Sandy said it clearly on 16 October - it just took  me this long to 
> figure it out. For Arla to work in OSX 10.1 (with krb5 tickets to afs 
> tokens) I need: KfM, krbafs linked to KfM and an Arla that we can build 
> against those authentication protocols.
>
> I am still working away at this but it seems that I need that krbafs 
> from Alexendra and mit. The aklog download offered at 
> http://web.mit.edu/openafs/ (thanks Aaron) is written for Openafs. 
> Perhaps someone on the list can provide some advice on how to hack it 
> for Arla.
>
>
> Best regards,
> 	tom
>
>
>
>
>
> On Wednesday, October 17, 2001, at 08:25 PM, Magnus Ahltorp wrote:
>
>>> I have tried kth-krb 1.0.5, 1.0.6, and 1.1 and all three fail to
>>> satisfy all external references for arla (latest release).  The exact
>>> routines that show missing are different.  From earlier traffic on
>>> this list I gather that krbafs with built-in MIT k5 is not ready for
>>> OSX 10.1 either.
>>
>> One problem is that ld doesn't link with the libraries you tell it to
>> link with. I haven't figured out why yet.
>>
>>> How was the binary package built?  Is there a combination that "just
>>> works", or do I need to start hacking?
>>
>> With kth-krb 1.0.9 and this configure command:
>>
>> ./configure  --with-krb4=/usr/athena --without-krb5 --disable-mmap
>>
>> /Magnus
>>
>>
Thomas Jordan
Fermi National Accelerator Laboratory
PO Box 500, MS 226 WH15W
Batavia, Il
60510-0500
ofc:630.840.4035 fax:630.840.8248
>

More information about the Arla-drinkers mailing list