From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 16:30:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A491A37B401 for ; Mon, 4 Aug 2003 16:30:26 -0700 (PDT) Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net [207.115.63.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBBD043F3F for ; Mon, 4 Aug 2003 16:30:25 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from adsl-67-121-60-9.dsl.anhm01.pacbell.net (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9])h74NUNVs150220 for ; Mon, 4 Aug 2003 19:30:24 -0400 From: Michael Collette To: FreeBSD Security Date: Mon, 4 Aug 2003 16:26:41 -0700 User-Agent: KMail/1.5.3 References: <200307301553.40385.metrol@metrol.net> In-Reply-To: <200307301553.40385.metrol@metrol.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308041626.41760.metrol@metrol.net> Subject: Re: Kerberos to file server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 23:30:26 -0000 On Wednesday 30 July 2003 03:53 pm, Michael Collette wrote: > I've got this AS/400 with gobs of unused file storage on it that I want to > share across as a file server to a FreeBSD box. The AS/400 side of things > supports NFS and kinda pretends to be a Unix like machine in this role. Since I've received a number of off list replies to this I thought I'd post some additional information about what all I've dug up. Still not working yet, but getting a little smarter about this. Sorry if this folks think this is off-topic, but as this involves both authentication and authorization to a foreign system I still believe this is applicable. As was pointed out to me on and off list, I can connect to the shared NFS files on the AS/400 without Kerberos. The next obvious problem (obvious to me now) is the issue of file ownership. Just getting a connection across doesn't provide any user id mapping by itself. This is where IBM's EIM (Enterprise Identity Manager) kicks in. It provides for a user name translation table so a user on one system is a user on all. In order to make use of EIM a Kerberos based authentication needs to take place. Apparently once this happens, FreeBSD users become AS/400 users in so far as file ownership goes. For those who may be interested: http://publib.boulder.ibm.com/iseries/v5r2/ic2924/index.htm?info/rzalv/rzalvmst.htm That's all of what I've managed to dig up thus far. Here's where I'm lost. The FreeBSD Handbook has a Kerberos tutorial, but it's apparently out of date or something just ain't right. http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kerberos.html First thing it asks me to do is initialize the Kerberos database with the "kdb_init" command. I don't have a kdb_init command on this system. I then just installed the krb5 port, and it doesn't have that command either. Double checked the package list. It looks like a number of things don't match up to the tutorial. Is there some new procedure out there to configure a Kerberos enabled machine, or am I just missing some key component in a perfectly fine tutorial? Thanks, -- "In theory, there is no difference between theory and practice. In practice, there is." - Yogi Berra