Difference between revisions of "BXadmin:Dce.psu.edu migration"

From CCGB
Jump to: navigation, search
Line 7: Line 7:
  
 
Things to do/check:
 
Things to do/check:
* services
+
* ssh + GSSAPI:
** ssh + GSSAPI:
+
** Linux: works on RHEL5, should work on RHEL6
*** Linux: works on RHEL5, should work on RHEL6
+
** OSX - works on 10.6 with the additonal krb5.conf rules below
*** OSX - works on 10.6 with the additonal krb5.conf rules below
+
* ssh + password:
** ssh + password:
+
** Linux - works on Linux with second pam_krb5.conf entry. '''[GOOD]'''
*** Linux - works on Linux with second pam_krb5.conf entry. '''[GOOD]'''
+
** OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu '''[GOOD]'''
*** OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu '''[GOOD]'''
+
* IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules ''[PARTIAL]''
** IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules ''[PARTIAL]''
+
* remctl - works fine, principal name looks correct '''[GOOD]'''
** remctl - works fine, principal name looks correct '''[GOOD]'''
+
* LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names
** LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names
+
* graphical login:
** graphical login:
+
** linux - fine with pam modifications '''[GOOD]'''
*** linux - fine with pam modifications '''[GOOD]'''
+
** windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU
*** windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU
+
** osx - need to test
*** osx - need to test
 
 
* WebLogin:
 
* WebLogin:
 
** Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is for now.
 
** Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is for now.
Line 29: Line 28:
 
** User synchronization works
 
** User synchronization works
 
** Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages
 
** Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages
 +
* admin.bx.psu.edu web apps:
 +
** password change - Need to exclude dce users somehow...
 +
** mail forwarding - Dependent on cosign doing the right thing
 +
 +
krb5.conf modifications, add these lines to the [realms] BX.PSU.EDU section:
 +
<pre>auth_to_local = RULE:[1:$1@$0](.*@dce\.psu\.edu)s/@.*//
 +
auth_to_local = DEFAULT</pre>

Revision as of 22:15, 28 September 2011

This would not be a complete migration. Real user accounts would live in dce.psu.edu. All other system accounts and admin accounts would remain in BX.PSU.EDU.

Some thoughts:

  • Because of the BX.PSU.EDU -> dce.psu.edu trust, abc123@dce.psu.edu can request afs/bx.psu.edu@BX.PSU.EDU service tickets. There is now a krb.conf file on all the fileservers and dbservers to make dce.psu.edu an additional 'local' realm. This makes abc123@dce.psu.edu appear as abc123 to the filesystem. [DONE]
  • would need a bxAFSUserName, similar to bxAFSGroupID, but storing the PTS entry name, not the ID, to account for the disconnect between the POSIX username and the PTS name. [DONE] - bxAFSPTSName


Things to do/check:

  • ssh + GSSAPI:
    • Linux: works on RHEL5, should work on RHEL6
    • OSX - works on 10.6 with the additonal krb5.conf rules below
  • ssh + password:
    • Linux - works on Linux with second pam_krb5.conf entry. [GOOD]
    • OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu [GOOD]
  • IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules [PARTIAL]
  • remctl - works fine, principal name looks correct [GOOD]
  • LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names
  • graphical login:
    • linux - fine with pam modifications [GOOD]
    • windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU
    • osx - need to test
  • WebLogin:
    • Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is for now.
    • The dc=psu,dc=edu backend will return an entry if uid=abc123 exists under dc=bx,dc=psu,dc=edu, but return nothing if abc5123 does not have an entry. Need to test for the existance first and still return a fake search result? Or do we create thin accounts?
    • Need to verify that cosign can get kerberos credentials for dce.psu.edu logins so the web apps that do GSSAPI will continue to work.
  • ldap2pts:
    • Almost works with the new bxAFSPTSName attribute.
    • User synchronization works
    • Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages
  • admin.bx.psu.edu web apps:
    • password change - Need to exclude dce users somehow...
    • mail forwarding - Dependent on cosign doing the right thing

krb5.conf modifications, add these lines to the [realms] BX.PSU.EDU section: 

auth_to_local = RULE:[1:$1@$0](.*@dce\.psu\.edu)s/@.*//
auth_to_local = DEFAULT
Retrieved from "http://wiki.bx.psu.edu/index.php?title=BXadmin:Dce.psu.edu_migration&oldid=1518"