Difference between revisions of "BXadmin:Dce.psu.edu migration"

From CCGB
Jump to: navigation, search
 
(12 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
Some thoughts:
 
Some thoughts:
* Because of the BX.PSU.EDU -> dce.psu.edu trust, abc123@dce.psu.edu can request afs/bx.psu.edu@BX.PSU.EDU service tickets. To the AFS fileservers and dbservers, they would look like abc123@dce.psu.edu
+
* Because of the BX.PSU.EDU -> dce.psu.edu trust, abc123@dce.psu.edu can request afs/bx.psu.edu@BX.PSU.EDU service tickets. There is now a krb.conf file on all the fileservers and dbservers to make dce.psu.edu an additional 'local' realm. This makes abc123@dce.psu.edu appear as abc123 to the filesystem. '''[DONE]'''
* would need a bxAFSUserName, similar to bxAFSGroupID, but storing the PTS entry name, not the ID, to account for the disconnect between the POSIX username and the PTS name.
+
* would need a bxAFSUserName, similar to bxAFSGroupID, but storing the PTS entry name, not the ID, to account for the disconnect between the POSIX username and the PTS name. '''[DONE] - bxAFSPTSName'''
* Linux and Solaris can use PAM stack tricks to try BX.PSU.EDU before dce.psu.edu. On RedHat, realm=FOO should suffice.
 
** On RedHat, realm=dce.psu.edu cell=bx.psu.edu seems to work fine when listed alongside another pam_krb5 '''[VERIFIED]'''
 
* For OSX, we might be able to write a plugin to be called via /etc/authorize?
 
* On Windows (as this is what started this whole thing), hosts would be bound to ACCESS.PSU.EDU, and users would select 'dce.psu.edu' at login. Need to verify that KfW and OpenAFS do the Right Thing and know how to get tokens.
 
* WebLogin: The dc=psu,dc=edu LDAP hack would need to do the right thing when cosign talks to it. dce.psu.edu would be made the default realm. Maybe we could get away with killing our cosign service entirely? That would be awesomesauce.
 
* How does system:authuser work with foreign realms? atc135@dce.psu.edu is, by default, a member of system:authuser@dce.psu.edu. Can I change this somehow, or at least nes the two groups?
 
  
Other concerns:
+
 
* For the users that use OSX, this would have to be an all-at-once switch, or if the user only logs into one machine, have two classes in cfengine for each of the default_realm settings, and convert the users and machines piecemeal.
+
Things to do/check:
* Any service that uses GSSAPI would need to be verified to work with the cross-realm
+
* Default ticket lifetime and renewal time with AIT. Need at least 2 weeks default lifetime so that cluster users are happy '''[VERIFIED]''' - 14 days, 28 days
** ssh
+
* ssh + GSSAPI:
** IMAP
+
** Linux: works on RHEL5 and RHEL6. Should check debian just for completeness. '''[DONE]''' - in cfengine
** remctl
+
** OSX - works on 10.6 with the additonal krb5.conf rules below
** LDAP
+
* ssh + password:
 +
** Linux - works on Linux with second pam_krb5.conf entry. '''[GOOD]'''
 +
** OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu '''[GOOD]'''
 +
* IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules '''[DONE]''' - rebuilt dovecot against MIT instead of Heimdal. Works with Horde too
 +
* remctl - works fine, principal name looks correct '''[GOOD]'''
 +
* LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names '''[DONE]''' - in cfengine
 +
* graphical login:
 +
** linux - fine with pam modifications '''[GOOD]'''
 +
** windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU '''[DONE]''' - Need Domain key under the NP key. Will use startup script to push out correct registry settings similar to psuksetup.reg
 +
** osx:
 +
*** 10.6 - password checks work with loginwindow, tickets only with default_realm = dce.psu.edu
 +
* WebLogin:
 +
** Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is '''[DONE]''' - needed to patch cosign to pass cosignname before any regex matching/substitution
 +
** The dc=psu,dc=edu backend will return an entry if uid=abc123 exists under dc=bx,dc=psu,dc=edu, but return nothing if abc5123 does not have an entry. '''[DONE]''' - created dc=dce,dc=psu,dc=edu for uid=abc123 that doesn't exist in dc=bx,dc=psu,dc=edu. Need to document this requirement for adding dce.psu.edu users to web groups.
 +
** Need to verify that cosign can get kerberos credentials for dce.psu.edu logins so the web apps that do GSSAPI will continue to work - '''[DONE]''' - also fixed SPNEGO for both realms!
 +
* ldap2pts:
 +
** Almost works with the new bxAFSPTSName attribute.
 +
** User synchronization works
 +
** Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages
 +
* admin.bx.psu.edu web apps:
 +
** password change - Need to exclude dce users somehow '''[DONE]''' - just check REMOTE_REALM
 +
** mail forwarding - Dependent on cosign doing the right thing - '''[DONE]''' - cosign gets kerb tickets for both realms just fine
 +
* SGE - umm, shouldn't be a problem. Need to look at get_tokens.sh and set_token.sh to make sure BX.PSU.EDU isn't specified anywhere.
 +
* RADIUS - No changes here, already supports both realms
 +
 
 +
'''BIG QUESTION''' - Do we change the value of default_realm everywhere? Would this break anything?
 +
 
 +
krb5.conf modifications, add these lines to the [realms] BX.PSU.EDU section:
 +
<pre>auth_to_local = RULE:[1:$1@$0](.*@dce\.psu\.edu)s/@.*//
 +
auth_to_local = DEFAULT</pre>
 +
These have been added as of cfengine commit ff8d17f29d3dbd47aa81c25800a400edcec32773

Latest revision as of 08:53, 1 November 2011

This would not be a complete migration. Real user accounts would live in dce.psu.edu. All other system accounts and admin accounts would remain in BX.PSU.EDU.

Some thoughts:

  • Because of the BX.PSU.EDU -> dce.psu.edu trust, abc123@dce.psu.edu can request afs/bx.psu.edu@BX.PSU.EDU service tickets. There is now a krb.conf file on all the fileservers and dbservers to make dce.psu.edu an additional 'local' realm. This makes abc123@dce.psu.edu appear as abc123 to the filesystem. [DONE]
  • would need a bxAFSUserName, similar to bxAFSGroupID, but storing the PTS entry name, not the ID, to account for the disconnect between the POSIX username and the PTS name. [DONE] - bxAFSPTSName


Things to do/check:

  • Default ticket lifetime and renewal time with AIT. Need at least 2 weeks default lifetime so that cluster users are happy [VERIFIED] - 14 days, 28 days
  • ssh + GSSAPI:
    • Linux: works on RHEL5 and RHEL6. Should check debian just for completeness. [DONE] - in cfengine
    • OSX - works on 10.6 with the additonal krb5.conf rules below
  • ssh + password:
    • Linux - works on Linux with second pam_krb5.conf entry. [GOOD]
    • OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu [GOOD]
  • IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules [DONE] - rebuilt dovecot against MIT instead of Heimdal. Works with Horde too
  • remctl - works fine, principal name looks correct [GOOD]
  • LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names [DONE] - in cfengine
  • graphical login:
    • linux - fine with pam modifications [GOOD]
    • windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU [DONE] - Need Domain key under the NP key. Will use startup script to push out correct registry settings similar to psuksetup.reg
    • osx:
      • 10.6 - password checks work with loginwindow, tickets only with default_realm = dce.psu.edu
  • WebLogin:
    • Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is [DONE] - needed to patch cosign to pass cosignname before any regex matching/substitution
    • The dc=psu,dc=edu backend will return an entry if uid=abc123 exists under dc=bx,dc=psu,dc=edu, but return nothing if abc5123 does not have an entry. [DONE] - created dc=dce,dc=psu,dc=edu for uid=abc123 that doesn't exist in dc=bx,dc=psu,dc=edu. Need to document this requirement for adding dce.psu.edu users to web groups.
    • Need to verify that cosign can get kerberos credentials for dce.psu.edu logins so the web apps that do GSSAPI will continue to work - [DONE] - also fixed SPNEGO for both realms!
  • ldap2pts:
    • Almost works with the new bxAFSPTSName attribute.
    • User synchronization works
    • Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages
  • admin.bx.psu.edu web apps:
    • password change - Need to exclude dce users somehow [DONE] - just check REMOTE_REALM
    • mail forwarding - Dependent on cosign doing the right thing - [DONE] - cosign gets kerb tickets for both realms just fine
  • SGE - umm, shouldn't be a problem. Need to look at get_tokens.sh and set_token.sh to make sure BX.PSU.EDU isn't specified anywhere.
  • RADIUS - No changes here, already supports both realms

BIG QUESTION - Do we change the value of default_realm everywhere? Would this break anything?

krb5.conf modifications, add these lines to the [realms] BX.PSU.EDU section:

auth_to_local = RULE:[1:$1@$0](.*@dce\.psu\.edu)s/@.*//
auth_to_local = DEFAULT

These have been added as of cfengine commit ff8d17f29d3dbd47aa81c25800a400edcec32773