Project Numenor, August 6, 2005This page contains instructions to enable your computer to access the services provided by your Numenor account. We occasionally assume that you are using a Debian machine, for simplicity. Links to sample configuration files are included; your exact configuration may differ.
For Kerberos V, add the following lines to /etc/krb5.conf:
[realms]
NUMENOR.MIT.EDU = {
kdc = numenor.mit.edu
admin_server = numenor.mit.edu
}
...
[domain_realm]
numenor.mit.edu = NUMENOR.MIT.EDU
...
For Kerberos IV, add the following line to /etc/krb.conf:
NUMENOR.MIT.EDU numenor.mit.edu admin server
and the following line to /etc/krb.realms:
numenor.mit.edu NUMENOR.MIT.EDU
You should now be able to get Numenor Kerberos tickets by typing kinit user@NUMENOR.MIT.EDU. Note that if you already had Athena tickets, they will be overwritten by default. See the Environment section for tips on how to access the Athena and Numenor realms simultaneously.
Add the following lines to /etc/openafs/CellServDB:
>numenor.mit.edu #Project Numenor cell 18.243.2.49 #numenor.mit.edu
You may want to set the AFS_AFSDB and AFS_DYNROOT options in /etc/openafs/afs.conf.client. AFS_DYNROOT makes your machine deal when booted without network, while AFS_AFSDB makes your machine able to access foreign cells that have an appropriate DNS entry (numenor.csail.mit.edu is one such entry).
Then restart AFS.
The Numenor CA certificate (GPG signature) is in the security locker. Make sure the openssl package is installed, then copy the CA certificate to /etc/ssl/certs/numenorca.pem and run c_rehash. You should also install this certificate in your browser.
After enabling Kerberos IV, point your Zephyr host manager to the Numenor Zephyr server by invoking it as zhm numenor.mit.edu.
We are currently looking into setting up a Zephyr gateway between the Athena and Numenor realms.
New! It is now possible to run multiple Zephyr host managers on the same machine, allowing you to use the Numenor and Athena Zephyr realms simultaneously. See the Zephyr Multi-realm Host Manager page for details.
Install the libldap2, ldap-utils, libsasl2, and libsasl2-gssapi packages, and edit /etc/ldap/ldap.conf so it refers to the Numenor LDAP server, as shown below:
BASE dc=numenor,dc=mit,dc=edu URI ldaps://numenor.mit.edu/ TLS_CACERT /etc/ssl/certs/numenorca.pem
You can now run useful queries against the Numenor LDAP server:
$ ldapsearch -LLL uid=tabbott uidNumber 2>/dev/null dn: uid=tabbott,ou=People,dc=numenor,dc=mit,dc=edu uidNumber: 1000 $ ldapsearch -LLL cn=workstation nisMapEntry 2>/dev/null dn: cn=workstation,nisMapName=auto.numenor,dc=numenor,dc=mit,dc=edu nisMapEntry: -fstype=afs :/afs/numenor.mit.edu/project/workstation
Note: The use of Hesiod on Numenor is now deprecated in favor of LDAP. We hope to provide a Hesiod front-end to the LDAP server in the near future. For now, we recommend leaving your Hesiod domain as athena.mit.edu, for optimal Athena integration.
Install the hesiod package, using athena.mit.edu as your Hesiod domain (rhs) in /etc/hesiod.conf:
rhs=.athena.mit.edu
After enabling LDAP, you can set up the /numenor automounter, by doing the following: apt-get install autofs autofs-ldap, edit /etc/auto.master to have the line:
/numenor ldap:nisMapName=auto.numenor,dc=numenor,dc=mit,dc=edu
then /etc/init.d/autofs restart.
Now you should be able to access your favorite Numenor lockers through commands such as cd /numenor/tabbott, and the filesystem will be automagically mounted, using the nisMapEntry data from LDAP.
While you’re at it, you could set up an automounter on /mit as well, by following the instructions above to enable Hesiod, then installing the autofs-hesiod package and adding the following line:
/mit hesiod
We have created some simple shell scripts to make it easier to use the Athena and Numenor realms together.
#!/bin/bash
vars()
{
cat <<EOF
declare -x KRB5_CONFIG="/etc/krb5.conf.numenor";
declare -x KRB5CCNAME="/tmp/krb5cc_${UID}.numenor";
declare -x KRBTKFILE="/tmp/tkt${UID}.numenor";
declare -x AFSCELL="numenor.mit.edu";
declare -x HES_DOMAIN="numenor.csail.mit.edu";
declare -x ZEPHYR_SERVER="numenor.mit.edu";
EOF
}
if [ ${#} -eq 0 ]; then
vars
else
eval $(vars)
exec "$@"
fi
#!/bin/bash
vars()
{
cat <<EOF
declare -x KRB5_CONFIG="/etc/krb5.conf.athena";
declare -x KRB5CCNAME="/tmp/krb5cc_${UID}.athena";
declare -x KRBTKFILE="/tmp/tkt${UID}.athena";
declare -x AFSCELL="athena.mit.edu";
declare -x HES_DOMAIN="athena.mit.edu";
declare -x ZEPHYR_SERVER="z1.mit.edu";
EOF
}
if [ ${#} -eq 0 ]; then
vars
else
eval $(vars)
exec "$@"
fi
You will probably want to have your machine’s default set to one or the other realm, and then use the special script to access the other realm’s services. For example, when logged into Numenor, I can get Athena AFS tokens by running:
$ athena kinit tabbott $ athena aklog
For these scripts to work, you’ll also need to set up a separate set of Kerberos configuration files. For example, on a primarily Numenor-based machine, copy /etc/krb.conf to /etc/krb.conf.athena, and change the default realm on the top line to ATHENA.MIT.EDU. Next, copy /etc/krb5.conf to /etc/krb5.conf.athena, change the default_realm to ATHENA.MIT.EDU, and change the krb4_config line to point to /etc/krb.conf.athena. That will allow the athena script above to find the Kerberos configuration appropriate for Athena. On a machine already set up for Athena access, use the numenor script instead and create /etc/krb.conf.numenor and /etc/krb5.conf.numenor analogously.
You may also want to create bash completion files such as /etc/bash_completion.d/athena:
[ "$have" ] && complete -o filenames -F _command athena
so that your Tab completion works correctly when you use the athena command.
Project Numenor, August 6, 2005