Difference between revisions of "BXadmin:Dce.psu.edu migration"
From CCGB
| Line 7: | Line 7: | ||
Things to do/check: | Things to do/check: | ||
| − | * Default ticket lifetime and renewal time with AIT. Need at least 2 weeks default lifetime so that cluster users are happy | + | * Default ticket lifetime and renewal time with AIT. Need at least 2 weeks default lifetime so that cluster users are happy '''[VERIFIED]''' - 14 days, 28 days |
* ssh + GSSAPI: | * ssh + GSSAPI: | ||
| − | ** Linux: works on RHEL5 and RHEL6. Should check debian just for completeness. | + | ** Linux: works on RHEL5 and RHEL6. Should check debian just for completeness. '''[DONE]''' - in cfengine |
** OSX - works on 10.6 with the additonal krb5.conf rules below | ** OSX - works on 10.6 with the additonal krb5.conf rules below | ||
* ssh + password: | * ssh + password: | ||
** Linux - works on Linux with second pam_krb5.conf entry. '''[GOOD]''' | ** Linux - works on Linux with second pam_krb5.conf entry. '''[GOOD]''' | ||
** OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu '''[GOOD]''' | ** OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu '''[GOOD]''' | ||
| − | * IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules ''[ | + | * IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules '''[DONE]''' - rebuilt dovecot against MIT instead of Heimdal. Works with Horde too |
* remctl - works fine, principal name looks correct '''[GOOD]''' | * remctl - works fine, principal name looks correct '''[GOOD]''' | ||
| − | * LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names | + | * LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names '''[DONE]''' - in cfengine |
* graphical login: | * graphical login: | ||
** linux - fine with pam modifications '''[GOOD]''' | ** linux - fine with pam modifications '''[GOOD]''' | ||
| − | ** windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU | + | ** windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU '''[DONE]''' - Need Domain key under the NP key. Will use startup script to push out correct registry settings similar to psuksetup.reg |
** osx: | ** osx: | ||
*** 10.6 - password checks work with loginwindow, tickets only with default_realm = dce.psu.edu | *** 10.6 - password checks work with loginwindow, tickets only with default_realm = dce.psu.edu | ||
* WebLogin: | * WebLogin: | ||
| − | ** Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is | + | ** Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is '''[DONE]''' - needed to patch cosign to pass cosignname before any regex matching/substitution |
| − | ** The dc=psu,dc=edu backend will return an entry if uid=abc123 exists under dc=bx,dc=psu,dc=edu, but return nothing if abc5123 does not have an entry. Need to | + | ** The dc=psu,dc=edu backend will return an entry if uid=abc123 exists under dc=bx,dc=psu,dc=edu, but return nothing if abc5123 does not have an entry. '''[DONE]''' - created dc=dce,dc=psu,dc=edu for uid=abc123 that doesn't exist in dc=bx,dc=psu,dc=edu. Need to document this requirement for adding dce.psu.edu users to web groups. |
| − | ** Need to verify that cosign can get kerberos credentials for dce.psu.edu logins so the web apps that do GSSAPI will continue to work | + | ** Need to verify that cosign can get kerberos credentials for dce.psu.edu logins so the web apps that do GSSAPI will continue to work - '''[DONE]''' - also fixed SPNEGO for both realms! |
* ldap2pts: | * ldap2pts: | ||
** Almost works with the new bxAFSPTSName attribute. | ** Almost works with the new bxAFSPTSName attribute. | ||
| Line 31: | Line 31: | ||
** Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages | ** Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages | ||
* admin.bx.psu.edu web apps: | * admin.bx.psu.edu web apps: | ||
| − | ** password change - Need to exclude dce users somehow | + | ** password change - Need to exclude dce users somehow '''[DONE]''' - just check REMOTE_REALM |
| − | ** mail forwarding - Dependent on cosign doing the right thing | + | ** mail forwarding - Dependent on cosign doing the right thing - '''[DONE]''' - cosign gets kerb tickets for both realms just fine |
* SGE - umm, shouldn't be a problem. Need to look at get_tokens.sh and set_token.sh to make sure BX.PSU.EDU isn't specified anywhere. | * SGE - umm, shouldn't be a problem. Need to look at get_tokens.sh and set_token.sh to make sure BX.PSU.EDU isn't specified anywhere. | ||
* RADIUS - No changes here, already supports both realms | * RADIUS - No changes here, already supports both realms | ||
Latest revision as of 09:53, 1 November 2011
This would not be a complete migration. Real user accounts would live in dce.psu.edu. All other system accounts and admin accounts would remain in BX.PSU.EDU.
Some thoughts:
- Because of the BX.PSU.EDU -> dce.psu.edu trust, abc123@dce.psu.edu can request afs/bx.psu.edu@BX.PSU.EDU service tickets. There is now a krb.conf file on all the fileservers and dbservers to make dce.psu.edu an additional 'local' realm. This makes abc123@dce.psu.edu appear as abc123 to the filesystem. [DONE]
- would need a bxAFSUserName, similar to bxAFSGroupID, but storing the PTS entry name, not the ID, to account for the disconnect between the POSIX username and the PTS name. [DONE] - bxAFSPTSName
Things to do/check:
- Default ticket lifetime and renewal time with AIT. Need at least 2 weeks default lifetime so that cluster users are happy [VERIFIED] - 14 days, 28 days
- ssh + GSSAPI:
- Linux: works on RHEL5 and RHEL6. Should check debian just for completeness. [DONE] - in cfengine
- OSX - works on 10.6 with the additonal krb5.conf rules below
- ssh + password:
- Linux - works on Linux with second pam_krb5.conf entry. [GOOD]
- OSX - Works on OSX 10.6.x if krb5AuthAuthority is set correctly for dce.psu.edu [GOOD]
- IMAP - works with password auth, krb5_kuserok is returning false because username != princpalname, even with krb5.conf rules [DONE] - rebuilt dovecot against MIT instead of Heimdal. Works with Horde too
- remctl - works fine, principal name looks correct [GOOD]
- LDAP - GSSAPI binds work, will need additonal rules or ACLs to work with @dce.psu.edu principal names [DONE] - in cfengine
- graphical login:
- linux - fine with pam modifications [GOOD]
- windows - need to check Windows OpenAFS client to see if Integrated Login works as expected when bound to ACCESS.PSU.EDU [DONE] - Need Domain key under the NP key. Will use startup script to push out correct registry settings similar to psuksetup.reg
- osx:
- 10.6 - password checks work with loginwindow, tickets only with default_realm = dce.psu.edu
- WebLogin:
- Change cosign cgi rules to make dce.psu.edu logins set REMOTE_USER=abc123 and REMOTE_REALM=dce.psu.edu, and leave FPS the way it is [DONE] - needed to patch cosign to pass cosignname before any regex matching/substitution
- The dc=psu,dc=edu backend will return an entry if uid=abc123 exists under dc=bx,dc=psu,dc=edu, but return nothing if abc5123 does not have an entry. [DONE] - created dc=dce,dc=psu,dc=edu for uid=abc123 that doesn't exist in dc=bx,dc=psu,dc=edu. Need to document this requirement for adding dce.psu.edu users to web groups.
- Need to verify that cosign can get kerberos credentials for dce.psu.edu logins so the web apps that do GSSAPI will continue to work - [DONE] - also fixed SPNEGO for both realms!
- ldap2pts:
- Almost works with the new bxAFSPTSName attribute.
- User synchronization works
- Group sync needs some more work, maybe an hour or two, to verify logical correctness and to clean up verbose/debug messages
- admin.bx.psu.edu web apps:
- password change - Need to exclude dce users somehow [DONE] - just check REMOTE_REALM
- mail forwarding - Dependent on cosign doing the right thing - [DONE] - cosign gets kerb tickets for both realms just fine
- SGE - umm, shouldn't be a problem. Need to look at get_tokens.sh and set_token.sh to make sure BX.PSU.EDU isn't specified anywhere.
- RADIUS - No changes here, already supports both realms
BIG QUESTION - Do we change the value of default_realm everywhere? Would this break anything?
krb5.conf modifications, add these lines to the [realms] BX.PSU.EDU section:
auth_to_local = RULE:[1:$1@$0](.*@dce\.psu\.edu)s/@.*// auth_to_local = DEFAULT
These have been added as of cfengine commit ff8d17f29d3dbd47aa81c25800a400edcec32773
