Since the introduction of rxkad-k5 in response to OPENAFS-SA-2013-003,
it is not strictly necessary to configure libkrb5 to allow weak crypto
in order to obtain an AFS token. A sufficient amount of time has passed
since then that it is safe to assume that the default behavior is the
more-secure one, and require opt-in for the insecure behavior.
To indicate that the use of single-DES is quite risky, add the
"-insecure_des" argument to both klog and aklog, to gate the
preexisting calls that enable weak crypto/single-DES.
These calls, and the -insecure_des option, may be removed entirely
in a future commit.
Change-Id: If175d0f95f0ede0f252844086a2a023da5580732
Reviewed-on: https://gerrit.openafs.org/13689
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
The krb5_524_conv_principal() function should fail whenever the Kerberos
v5 principal cannot safely be mapped onto a Kerberos v4 principal, and
does fail on some Kerberos v5 principals used in real-world AFS
deployments.
Prior to this patchset a failure was treated as a fatal error that
in turn prevents an AFS token from being generated or set into the
cache manager.
Prior to b1f9b4cb5d the
krb5_524_conv_principal() function wasn't used and a local client
mapping was created. b1f9b4cb5d
replaced the local mapping with the krb5 function because the local
mapping could be wrong and confusing.
The krb5_524_conv_principal() function as applied to AFS tokens is
just a local guess. How the username in the token is interpreted by
the AFS server is up to the server.
krb5_524_conv_principal() is only used for Krb5 native tokens. For Krb4
tokens the krb5_524_convert_creds() function is used to obtain both the
Kerberos v4 ticket and the converted names from the KDC. Many
organizations used the krb524d service to perform name translation. When
the krb524d service is used, the name translation is performed by the KDC,
so there is no local call to krb5_524_conf_principal() which might fail.
As a result, disallowing the use of a native Krb5 token due to a failed
local name translation is a needless loss of functionality; the local name
translation is not an essential part of obtaining a token.
This patchset modifies the behavior such that krb5_524_conv_principal()
errors are non-fatal.
1. If -noprdb is not specified the error message is generated
and a NULL username is used.
2. If the username is NULL the prdb lookup is disabled.
3. If the username is NULL the informational messages do not
include a username.
4. If the username is NULL the username info provided to the
cache manager in the token description is the nul string.
Credit to Ben Kaduk for assistance with the wording of this
commit message.
Change-Id: Ib07131fc0ff4bf5319815213198c3f0adac17b10
Reviewed-on: http://gerrit.openafs.org/11542
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: D Brashear <shadow@your-file-system.com>
The man pages previously described linking DCE cells to AFS cells.
OpenAFS and YFS also allow linking between two AFS cells. Update the
description of linked cells in CellServDB(5), aklog(1), and
fs_newcell(1) to refer to AFS instead of DCE.
Add a linked cell example to the CellServDB man page with an
explanation.
Change-Id: Ic9b1c643861b7307c09fcc5a1775f4abf4cb4155
Reviewed-on: http://gerrit.openafs.org/10342
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Recent versions of Pod::Simple complain if we use integers or other
special characters in an =item list. We have a couple bulleted lists
that happen to have integers or other special characters as the list
values. Quote the items with C<> so that Pod::Simple can correctly parse
them again.
Change-Id: If456781fe219b73ae01feb9aef2fb2639e097534
Reviewed-on: http://gerrit.openafs.org/9838
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: Jeffrey Altman <jaltman@your-file-system.com>
There were several different real and made-up hostnames and company names used
throughout our documentation examples.
The IETF has reserved "example.com" and other "example" TLDs for use in
examples (RFC 2606). Replace almost all references to ABC Corporation, DEF
Corporation, and State University, as well as "abc.com", "bigcell.com",
"def.com", "def.gov", "ghi.com", "ghi.gov", "jkl.com", "mit.edu",
"stanford.edu", "state.edu", "stateu.edu", "uncc.edu", and "xyz.com".
Standardize on "Example Corporation", "Example Network", "Example
Organization" (example.com, example.net, and example.org).
The Scout documentation in the Admin Guide contains PNG images that contain
the old cell names, so I left those references until the images can be
replaced.
Change-Id: I4e44815b2d2ffe204810b7fd850842248f67c367
Reviewed-on: http://gerrit.openafs.org/6697
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
AFS users not otherwise familiar with Kerberos may not realize that
one sets KRB5CCNAME to use an alternative ticket cache. Mention the
variable in the aklog man page, although defer to the Kerberos
documentation for most details.
Change-Id: I13133285f153f86e0aa1e95b24715e01d576075d
Reviewed-on: http://gerrit.openafs.org/2761
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Rod Widdowson <rdw@steadingsoftware.com>
Reviewed-by: Russ Allbery <rra@stanford.edu>
LICENSE BSD
Add documentation of foreign realm user registration and cross-realm PTS
groups. Add documentation of missing ptserver flags. Add some additional
to-do entries for the man pages.
Document (at least partially) AFS's mapping of Kerberos v5 principal names
to Kerberos v4 format in the aklog man page. Also document that -setpag
may not always work.
Rewrite the aklog man page in POD and add documentation of the new flags
and .xlog.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
Fix my misunderstanding of what rxkad2b is.
====================
Fix unterminated B<>.
