CAEN

Users of CAEN-supported UNIX workstations (Solaris or HP-UX) should take note that a recent change was made which may affect your ability to access files in AFS. Beginning on November 7, 2006, CAEN installed Kerberos 5 login software to replace older Kerberos 4 login software on Solaris and HP-UX. This change is in response to the ITCS shutdown of Kerberos 4 services for the UMICH.EDU Kerberos realm, and the fact that older software would no longer function correctly after this happens. Refer to http://www.itcs.umich.edu/itstaff/security/K4toK5/ for details on the ITCS Kerberos changes.

The new login software authenticates users via Kerberos 5 and obtains a Kerberos 5 ticket granting ticket (TGT) at login time, instead of Kerberos 4 credentials. One side affect of this change is that, after logging in to a Solaris or HP-UX machine, a user will only obtain access to the umich.edu AFS cell if the home directory associated with that account resides inside the umich.edu AFS cell. In addition to the home directory within the umich.edu AFS cell (IFS) that ITCS provides to all U-M students, faculty and staff, CAEN used to provide CAEN account holders with a home directory in the engin.umich.edu AFS cell. Therefore holders of older CAEN accounts may have two AFS home directories. Those CAEN account holders with two AFS home directories may have their CAEN account configured to use either one as their home directory when they log onto CAEN supported UNIX systems.

Most people who received a CAEN account prior to May 1, 2006 do not have their CAEN account configured to use their home directory that resides in umich.edu; instead, their CAEN account is configured to use their home directory that resides in the engin.umich.edu AFS cell. After May 1, 2006 those who received CAEN accounts only had one AFS home directory which resided in the umich.edu AFS cell and their CAEN account was therefore configured to use that home directory.

The following chart summarizes the way that the old login software behaved, and how things changed on November 6, 2006, when new software was installed:

Prior to November 6, 2006
-------------------------
If AFS home directory is inside:	engin.umich.edu	umich.edu
                                	---------------	---------
Log in using which password?     	ENGIN.UMICH.EDU	UMICH.EDU
Access to engin.umich.edu AFS?     	Yes		Passwords same
Access to umich.edu AFS?		Passwords same	Yes

Starting November 6, 2006
-------------------------
If AFS home directory is inside:	engin.umich.edu	umich.edu
                                	---------------	---------
Log in using which password?     	ENGIN.UMICH.EDU	UMICH.EDU
Access to engin.umich.edu AFS?     	Yes		Yes
Access to umich.edu AFS?		No		Yes

As you can see, a potential problem exists for users who expect to be able to access files in the umich.edu AFS cell after logging in to a CAEN Solaris or HP-UX machine. Users who require access to their IFS home directory in the umich.edu AFS cell can obtain access via one of two means: they can manually authenticate to the umich.edu cell (after logging in to the machine using their ENGIN.UMICH.EDU password), or they can change their login home directory on CAEN systems to their IFS home directory (in the umich.edu AFS cell). To manually obtain access to files in the umich.edu AFS cell, run the following command from a command prompt:

gettoken @umich.edu

You will be prompted for your UMICH.EDU Kerberos password. To view which AFS cells you currently have access to, run the following command from a command prompt:

tokens

To change your home directory to use the umich.edu AFS cell, send an email to caen@umich.edu. See the following URL for more information about making this change:

• http://www.engin.umich.edu/caen/news/archive/afs/

If you have any other questions or concerns about access to files in AFS or other problems with authentication on CAEN-loaded Solaris or HP-UX machines, please contact caen@umich.edu.