Difference between revisions of "BXadmin:Dce.psu.edu migration"

Revision as of 12:03, 29 September 2011

This would not be a complete migration. Real user accounts would live in dce.psu.edu. All other system accounts and admin accounts would remain in BX.PSU.EDU.

Some thoughts:

• Because of the BX.PSU.EDU -> dce.psu.edu trust, abc123@dce.psu.edu can request afs/bx.psu.edu@BX.PSU.EDU service tickets. There is now a krb.conf file on all the fileservers and dbservers to make dce.psu.edu an additional 'local' realm. This makes abc123@dce.psu.edu appear as abc123 to the filesystem. [DONE]
• would need a bxAFSUserName, similar to bxAFSGroupID, but storing the PTS entry name, not the ID, to account for the disconnect between the POSIX username and the PTS name. [DONE] - bxAFSPTSName

Things to do/check:

• Default ticket lifetime and renewal time with AIT. Need at least 2 weeks default lifetime so that cluster users are happy
• ssh + GSSAPI:
  • Linux: works on RHEL5 and RHEL6. Should check debian just for completeness. RHEL6 pam_krb5 succeeds in the session phase with only one pam_krb5 listed, but logs a message about failing to get a token, probably because the auth phase got a token. Is this a problem?
  • OSX - works on 10.6 with the additonal krb5.conf rules below
• ssh + password:
  • Linux - works on Linux with second pam_krb5.conf entry. [GOOD]
  • OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu [GOOD]
• IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules [PARTIAL]
• remctl - works fine, principal name looks correct [GOOD]
• LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names
• graphical login:
  • linux - fine with pam modifications [GOOD]
  • windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU
  • osx:
    • 10.6 - password checks work with loginwindow, but no tickets
• WebLogin:
  • Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is for now.
  • The dc=psu,dc=edu backend will return an entry if uid=abc123 exists under dc=bx,dc=psu,dc=edu, but return nothing if abc5123 does not have an entry. Need to test for the existance first and still return a fake search result? Or do we create thin accounts?
  • Need to verify that cosign can get kerberos credentials for dce.psu.edu logins so the web apps that do GSSAPI will continue to work.
• ldap2pts:
  • Almost works with the new bxAFSPTSName attribute.
  • User synchronization works
  • Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages
• admin.bx.psu.edu web apps:
  • password change - Need to exclude dce users somehow... maybe based on the value of krb5AuthAuthority
  • mail forwarding - Dependent on cosign doing the right thing
• SGE - umm, shouldn't be a problem. Need to look at get_tokens.sh and set_token.sh to make sure BX.PSU.EDU isn't specified anywhere.
• RADIUS - No changes here, already supports both realms

BIG QUESTION - Do we change the value of default_realm everywhere? Would this break anything?

krb5.conf modifications, add these lines to the [realms] BX.PSU.EDU section:

auth_to_local = RULE:[1:$1@$0](.*@dce\.psu\.edu)s/@.*//
auth_to_local = DEFAULT

These have been added as of cfengine commit ff8d17f29d3dbd47aa81c25800a400edcec32773