Coda File System

Re: modular clog + kerberos

From: root <coda_at_voidembraced.net>
Date: Wed, 10 Feb 2010 08:38:08 -0800
Greetings all: 

I have made significant progress, but have a few remaining questions. 

First, please take a look at these configs.  Why must authmethod and 
krb5realm be explicitly defined in both pref and codaauth2 -- did I foul up 
a config somewhere, or perhaps dns?  And is there no way to define the 
location of the -keytab krb5.conf declaration in a config (pref?), or 
perhaps a default location it looks for the keytab so that I can place the 
krb5.keytab there and omit the explicit declaration entirely? 

[root_at_sandbox1]# cat /vice/codaauth2.conf
4 {
 authorities {
   coda.realm {
     authmethod = kerberos5
     methodopts {
       krb5realm = KERBEROS.REALM
     }
   }
 }
}
[root_at_sandbox1]# cat ~/.codafs/clog/pref
5 {
 loginto = coda.realm
 identities {
   coda.realm {
     desc = coda.realm
     identity = codaadmin/codaauth_at_coda.realm
     authmethod = kerberos5
     methodopts {
       krb5realm = KERBEROS.REALM
     }
   }
 }
[root_at_sandbox1]# clog -keytab ~/.codafs/clog/krb5.keytab 


Regarding keytab auth, I found this site referring to kerberos _service_ 
principal keytab based afs auth (3rd paragraph from the top, under 
"Background" section):
http://www.stanford.edu/services/kerberos/sysadmin/keytabs.html 

A service key would be ideal for my application.  We are simply wanting to 
provide configuration data and some media content from our coda fileserver 
to an application on our application server.  Having to deal with user 
names, passwords, password policies (and expiration!) simply adds unneeded 
head aches.  Do you know of a way to swap out a kerberos user principal for 
a kerberos service principal for the purpose of coda user authentication? 


Lastly, the following scripts/binaries are annoyingly interactive:
*) cocli
*) coser
*) createvol_rep 

Is there a automation friendly flag I can pass in to make unattended 
roll-outs possible?  I don't want to have to resort to expect just to pass 
through a few [enter] key strokes. 


Regards,
 -Don
{void} 


>>>> Regardless, I'll start converting my command line into codaauth2.conf 
>>>> (and perhaps .codafs/clog/pref if it's worth doing).
> 
> I have fixed the DNS SRV records, so the krb and tokens entries have been 
> striken, however, it appears the following have to be in both codaauth2 
> and pref:
> authmethod = kerberos5
> methodopts { krb5realm = KERBEROS.REALM
> methodopts { krb5service { coda/coda.realm  
> 
> NOTE:  I know this syntax is incorrect, I'm simply displaying linear 
> container hierarchy to provide scope for the end config option.  
> 
> Is there any way to push these settings to dns, or at least push them to 
> codaauth2 only?  I'm sure there is some distinction between codaauth2 and 
> pref that I as yet do not understand.  
> 
> yes, I know coda/ is non-standard, and I wouldn't need it if I used 
> codaauth, but I'd still like to know why this can't be set in codaauth2 
> and striken from pref.  
> 
> Most important, is it at all possible to define the keytab in codaauth2 or 
> pref?  Is there a default location that the keytab is looked for by clog?  
> 
> 
> Regards,
> -Don
> {void}  
> 
 
Received on 2010-02-10 11:38:45