From: Russ Allbery Date: Fri, 9 Sep 2005 22:01:13 +0000 (+0000) Subject: * libpam-openafs-kaserver must depend on openafs-client, not just X-Git-Tag: debian/1.4rc4-1~6 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=316aed759e69a93374a3af5d152fd8e06a99d06b;p=packages%2Fo%2Fopenafs.git * libpam-openafs-kaserver must depend on openafs-client, not just recommend it, since acquiring tokens requires that the client be running. * Expand README.Debian and include information about PAM configuration. * Link libpam-openafs-kaserver's doc directory to openafs-client. --- diff --git a/debian/README.Debian b/debian/README.Debian index f13f0a371..6893a8dcb 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -1,37 +1,115 @@ -OpenAFS for Debian ------------------- + OpenAFS for Debian -* Long-time AFS users may be confused by the directory layout. The files - that normally go in /usr/vice/etc go in /etc/openafs. The cache should - be mounted on /var/cache/openafs. +Introduction + + For an OpenAFS client system, install openafs-client and a kernel + module. See README.modules for information on how to build the kernel + module for your system. Then, read /etc/openafs/afs.conf to understand + the client configuration options. The openafs-client package will + attempt to guess at a good cache configuration based on the size of your + cache, but you may want to tune it further. There are also other + options configured in that file you may want to consider. -* The AFS client cache must be on an ext2 or ext3 partition. Other file + The AFS client cache must be on an ext2 or ext3 partition. Other file systems often do not support the semantics required by the AFS kernel - module and will cause kernel faults. In particular, XFS and ReiserFS - will NOT work. + module and will cause afsd to abort (to avoid kernel panics). In + particular, XFS, ReiserFS, and tmpfs will NOT work. + + For information on how to set up an OpenAFS server, read README.servers. + You will want the openafs-fileserver package for a file server and, + additionally, the openafs-dbserver package for a database server. -* Read /etc/openafs/afs.conf to understand the client configuration - options. The openafs-client package will attempt to guess at a good - cache configuration based on the size of your cache, but you may want - to tune it further. There are also other options configured in that - file you may want to consider. +Documentation -* No manual pages are included. Work is underway upstream to write man + For the complete OpenAFS manual, install openafs-doc. This is the same + documentation as found at , and is + unfortunately outdated in several respects, but it's the best that we + have at present. The Administrative Reference manual is one of the most + useful, as it contains man-page-like pages on most of the AFS commands. + + No manual pages are included. Work is underway upstream to write man pages for all of the commands based on the old HTML reference manual, but that work is not complete yet. -* Documentation can be found at http://www.openafs.org. If want to - set up a new cell, read the docs there and then look at the example - session in configuration-transcript.txt.gz in this directory. You - should also read README.servers. The procedure outlined in these two - files is much simpler and more secure than the one in the OpenAFS - documentation, but the OpenAFS documentation provides useful background. + If want to set up a new cell, read README.servers and then look at the + example session in configuration-transcript.txt.gz in this directory. + The procedure outlined in these two files is much simpler and more + secure than the one in the OpenAFS documentation, but the OpenAFS + documentation provides useful background. + +Changes Relative to Stock OpenAFS + + Long-time AFS users may be confused by the directory layout. The files + that normally go in /usr/vice/etc go in /etc/openafs. The cache should + be mounted on /var/cache/openafs. The server files have been moved + around even more; see README.servers for the details. + + The OpenAFS kernel module is named openafs, not libafs, to better match + normal Linux kernel module naming standards. The Debian source package + only builds one kernel module that matches the kernel source tree it is + built against and does not attempt to build separate SMP and non-SMP + modules against the same tree. Doing so does not work on all platforms. + To distinguish between an SMP and a non-SMP kernel module package, use + --append_to_version; see README.modules for more information. -* The libopenafs-dev package only includes static libraries because - the shared libraries built by AFS are not compatible with Debian policy. - They do not have a stable ABI or an appropriate SONAME. + The libopenafs-dev package only includes static libraries and there are + no shared library packages. The shared libraries built by AFS are not + compatible with Debian policy. They do not have a stable ABI or an + appropriate SONAME. -* kaserver is not included. New AFS cells should use Kerberos v5 rather + kaserver is not included. New AFS cells should use Kerberos v5 rather than the old K4-based kaserver KDC. - -- Russ Allbery , Thu Aug 11 10:37:50 2005 + The OpenAFS PAM modules have been built with pthreads rather than the + standard LWP AFS libraries for compatibility with a threaded sshd. + +PAM Authentication + + Any new OpenAFS cell is strongly encouraged to use Kerberos v5 for + authentication. If you want PAM to automatically obtain AFS credentials + and you are using Kerberos v5, you will want to install the libpam-krb5 + and libpam-openafs-session packages and then put something like the + following in /etc/pam.d/common-auth: + + auth [success=ok default=1] pam_krb5.so + auth [default=done] pam_openafs_session.so + auth required pam_unix.so nullok_secure try_first_pass + + and something like the following in /etc/pam.d/common-session: + + session optional pam_krb5.so + session optional pam_openafs_session.so + session required pam_unix.so + + You'll probably also want the following in /etc/pam.d/common-account: + + account sufficient pam_krb5.so + account required pam_unix.so + + There are, of course, many variations depending on what different + mechanism you want to use and how you want to handle fallbacks. + + If you are still using Kerberos v4 and the OpenAFS kaserver (or a KDC + that understands the same protocol) for authentication, you can instead + use the libpam-openafs-kaserver package and a configuration like: + + auth sufficient pam_afs.so ignore_root + auth required pam_unix.so nullok_secure try_first_pass + + in /etc/pam.d/common-auth and: + + session optional pam_afs.so + session required pam_unix.so + + in /etc/pam.d/common-session. Use pam_afs.krb.so instead of pam_afs.so + if you also want the PAM module to acquire a ticket cache for you. If + using this configuration with sshd, you may need to disable privilege + separation to get everything working properly. I've had mixed results + with that. Obviously, converting to Kerberos v5 authentication is + strongly preferred. + + If you are using the kaserver as your KDC, you may also want to install + the openafs-kpasswd package to get the administrative utilities for + managing those Kerberos accounts. + + -- Russ Allbery , Fri Sep 9 14:53:22 2005 diff --git a/debian/changelog b/debian/changelog index e0102d681..54267a5aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,11 @@ openafs (1.4rc3-1) unstable; urgency=low * Remove the init script check of the cache file system and instead improve the check in afsd. The init script check used stat, which is in /usr/bin and therefore not fair game for init scripts. + * libpam-openafs-kaserver must depend on openafs-client, not just + recommend it, since acquiring tokens requires that the client be + running. + * Expand README.Debian and include information about PAM configuration. + * Link libpam-openafs-kaserver's doc directory to openafs-client. * Translation updates. - Portuguese (Brazil), thanks André Luís Lopes. diff --git a/debian/control b/debian/control index b44210f15..e9cc9dc85 100644 --- a/debian/control +++ b/debian/control @@ -91,8 +91,7 @@ Description: The AFS distributed filesystem- Module Sources Package: libpam-openafs-kaserver Priority: extra -Depends: ${shlibs:Depends} -Recommends: openafs-client +Depends: ${shlibs:Depends}, openafs-client Architecture: i386 powerpc sparc alpha s390 ia64 hppa amd64 ppc64 Description: The AFS distributed filesystem- kaserver PAM module AFS is a distributed filesystem allowing cross-platform sharing of @@ -101,4 +100,4 @@ Description: The AFS distributed filesystem- kaserver PAM module . This package provides a PAM module for existing sites using the AFS kaserver for authentication. New sites should use a Kerberos 5 - implementation, a Kerberos PAM module and libpam-openafs-session. + implementation, a Kerberos v5 PAM module, and libpam-openafs-session. diff --git a/debian/rules b/debian/rules index 5bae255e8..5c5e6ed35 100755 --- a/debian/rules +++ b/debian/rules @@ -38,8 +38,15 @@ srcpkg = openafs-modules-source modulepkg := $(shell echo openafs-modules-$(KVERS)${INT_SUBARCH}) moduledir := debian/$(modulepkg)/lib/modules/$(KVERS)/fs +# These packages have lintian overrides. LINTIAN_PACKAGES = openafs-dbserver openafs-client openafs-fileserver +# The /usr/share/doc directory for these packages should be a symlink to +# /usr/share/doc/openafs-client. Any package on this list must depend on +# openafs-client. +DOC_PACKAGES = libpam-openafs-kaserver openafs-dbserver openafs-fileserver \ + openafs-kpasswd + # These variable is used only by get-orig-source, which will normally only be # run by maintainers. VERSION = 1.4.0-rc3 @@ -100,13 +107,13 @@ install: build dh_installdirs dh_install - for foo in $(LINTIAN_PACKAGES) ; do \ - install -d debian/$$foo/usr/share/lintian/overrides || exit 1 ; \ - install -m 644 -c debian/$$foo.lintian \ - debian/$$foo/usr/share/lintian/overrides/$$foo || exit 1 ; \ + set -e; for pkg in $(LINTIAN_PACKAGES) ; do \ + install -d debian/$$pkg/usr/share/lintian/overrides; \ + install -m 644 -c debian/$$pkg.lintian \ + debian/$$pkg/usr/share/lintian/overrides/$$pkg; \ done - for pkg in openafs-dbserver openafs-fileserver openafs-kpasswd ; do \ - ln -s openafs-client debian/$$pkg/usr/share/doc/$$pkg || exit 1 ; \ + set -e; for pkg in $(DOC_PACKAGES) ; do \ + ln -s openafs-client debian/$$pkg/usr/share/doc/$$pkg; \ done mv debian/openafs-client/usr/bin/pagsh \ debian/openafs-client/usr/bin/pagsh.openafs