From: Hironori Ito (hito@rcf.rhic.bnl.gov)
Date: Tue Sep 02 2003 - 10:34:45 EDT
As it was announced long time ago, RCF is moving to Kerberos 5 on September 8th. You should change(or/check) your password for it. Otherwise, you might not be able to logon in the future. Also, RCF is changing the AFS cell name from rhic to rhic.bnl.gov . You should change your cell name in your AFS client when the RCF changes. (Note: You must use kerberos 5 password for AFS (not previous AFS password) ). Hiro
attached mail follows:
The RCF is scheduling Monday, September 8 as the day that the rhic AFS cell is migrated to Kerberos 5. On this day, native AFS authentication will be turned off and replaced with Kerberos 5 based authentication. At the same time, the rhic AFS cell will be renamed to rhic.bnl.gov to conform with AFS and Kerberos 5 convention. As a result, AFS users that have not familarized themselves with their new Kerberos 5 password need to do so NOW. This announcement contains information on how things will change from the perspective of AFS users and AFS system administrators. For this document, we define AFS users as people that access AFS file systems on an AFS client, but are not responsible for installing or configuring the AFS client software on the system that they are accessing AFS. We define an AFS system administrator as anyone that is reponsible for installing or configuring AFS client or server software. Affects on AFS Users. The changeover to Kerberos 5 based authentication will affect a users in one of two ways, depending on what system (Unix or Microsoft Windows) they use to access the AFS filesystem. For AFS users on Unix systems, the changeover will require three changes. First, to authenticate to AFS, you can still use the AFS klog command; however, when prompted for the password, you will need to type in your Kerberos 5 password instead of your AFS password. Second, since all authentication is occuring via Kerberos 5, if you want to change the password that you use with klog, you will need to change your Kerberos 5 password using the passwd command on the RCF Unix systems. For users with more sophistication, the Kerberos 5 version of kpasswd (/usr/kerberos/bin/kpasswd on Linux systems or /usr/bin/kpasswd on Solaris) can also be used. The AFS kpasswd command will NOT work. Third, since we will be changing the AFS cell name from rhic to rhic.bnl.gov, you will need to specify rhic.bnl.gov as the cell name instead of rhic if your system is in a different AFS cell (i.e, if you normally type "klog username -c rhic", you will need to type "klog username -c rhic.bnl.gov". For AFS users on Windows systems, the situation is substantially different. Since the Windows AFS client software uses a different authentication protocol (compared to the Unix AFS client) AFS users on Windows systems will NOT be able to authenticate to the rhic.bnl.gov AFS cell using the standard AFS client software from IBM or OpenAFS. In order to authenticate to the cell, Windows based AFS users will need to use special Kerberos 5 aware AFS authentication software that can be obtained from the RCF. (Note that you will still need to have either a Transarc/IBM or OpenAFS client in addition to this special authentication software.) You will need to ask your AFS system administrator (i.e., the person that installs and configures AFS client software on the system that you are using) to download and install this software. With this special software, you can authenticate to the rhic.bnl.gov AFS cell using your Kerberos 5 password. Note that you can still access world readable directories and files in the rhic.bnl.gov cell without installing this special software. A special note for people using AFS on RCF systems: For users of AFS on RCF systems, the change to Kerberos 5 based AFS authentication will provide you with the benefits of single sign on. If you authenticate to the RCF Ssh Gateways with your Kerberos 5 password, you will automatically obtain an AFS token on any system with AFS access in the RCF. Once you obtain an AFS token, it is good for 5 days. If it expires, you can either use the AFS klog command with your Kerberos 5 password, or reauthenticate to Kerberos 5 with kinit and then obtain an AFS token with aklog. Affects on AFS System Administrators. The changeover to Kerberos 5 based AFS at the RCF will impact AFS system administrators in a major way. However, the problems are predominantly due to the cell name change and not from the change to Kerberos 5 (except on Windows platforms). On UNIX based AFS systems, one or possibly two changes need to be made, depending on whether you are administering only an AFS client or are administering an AFS cell that "mounts" the rhic AFS cell. Unix based AFS Client only administrators. For Unix based AFS client administrators, there are two possibilities. If your system's cell is rhic, then you will need to edit the /usr/vice/etc/ThisCell file to contain the new cell name, rhic.bnl.gov. You will also need to update the /usr/vice/etc/CellServDB file to contain information about the new cell name. The current CellServDB file should contain an entry like: >rhic #Relativistic Heavy Ion Collider 130.199.6.69 #rafs01.rcf.bnl.gov 130.199.6.52 #rafs02.rcf.bnl.gov 130.199.6.51 #rafs03.rcf.bnl.gov The ">rhic" needs to be changed to ">rhic.bnl.gov", as show below: >rhic.bnl.gov #Relativistic Heavy Ion Collider 130.199.6.69 #rafs01.rcf.bnl.gov 130.199.6.52 #rafs02.rcf.bnl.gov 130.199.6.51 #rafs03.rcf.bnl.gov After you have made these two changes, you will need to get the AFS client software to utilize the new information. (How this is done depends on the system, it may require a reboot, or it may just require a restart of AFS) If your system's cell is not rhic, then you will need to contact your local AFS cell administrator and have him/her modify the AFS server to allow access to the new rhic.bnl.gov cell and remove access to the old rhic cell. You will then need to modify the CellServDB file as described in the previous paragraph (or obtain a new version with the above modifications from your AFS Cell administrator). You will then need to get the AFS client software to read the new CellServDB information, most likely through a reboot of your system. Unix based AFS Cell administrators. For Unix based AFS Cell administrators, you will need to remove access to the rhic cell from your cell, modify your CellServDB file, and add access to the rhic.bnl.gov cell. Next, propagate the new CellServDB file (with the new cell name) to all AFS clients at your site. Comments or concerns on this transition should be relayed back the the RCF ASAP. Shigeki Misawa (misawa@bnl.gov) -- This message forwarded from the RCF announcements page. Recent messages are available at: http://www.rhic.bnl.gov/RCF/Announcements/announce.html _______________________________________________ Rhic-rcf-l mailing list Rhic-rcf-l@lists.bnl.gov http://lists.bnl.gov/mailman/listinfo/rhic-rcf-l
This archive was generated by hypermail 2.1.5 : Tue Sep 02 2003 - 10:38:42 EDT