Adds doc about CTA keytab

9edb7fea · Michael Davis · 9035196e · 9edb7fea · 9edb7fea
Commit 9edb7fea authored 7 years ago by Michael Davis
--- a/doc/latex/CTA_Admin_EOS.tex
+++ b/doc/latex/CTA_Admin_EOS.tex
@@ -35,6 +35,7 @@ xrootd-server-libs-4.4.1-1.el7.x86_64
 \end{lstlisting}

 \section{Create a Kerberos \texttt{keytab} file}
+\label{install_eos_create_kerberos_keytab}

 \begin{alertbox}
 The instructions below are for machines on structured cabling which have a fixed IP address. Machines without a fixed IP
@@ -48,7 +49,8 @@ The EOS \texttt{mgm} in the XRoot daemon authenticates users using a key from th
 If \texttt{/etc/krb5.keytab} does not already exist, we need to create a new EOS service principal in the \texttt{kdc},
 and install the key in the keytab.

-In the case of machines at CERN with a fixed IP address, there is a package for this:
+In the case of machines at CERN with a fixed IP address, there is a package for this\footnote{For more details, see
+\href{http://linux.web.cern.ch/linux/docs/kerberos-access.shtml}{http://linux.web.cern.ch/linux/docs/kerberos-access.shtml}}:
 \begin{lstlisting}
 # yum install cern-get-keytab
 \end{lstlisting}
@@ -96,13 +98,6 @@ slot KVNO Principal
 ktutil:  @@write_kt /etc/krb5.keytab.eos@@
 ktutil:  @@quit@@
 \end{lstlisting}
-Repeat for the CTA principal:
-\begin{lstlisting}
-# rm -f /etc/krb5.keytab.cta
-# cp /etc/krb5.keytab /etc/krb5.keytab.cta
-# chown `id -n -u`:`id -n -g` /etc/krb5.keytab.cta
-# echo -e "read_kt /etc/krb5.keytab.cta\nlist\nquit" | ktutil
-\end{lstlisting}

 \section{Create a Simple Shared Secret \texttt{keytab} file}


--- a/doc/latex/CTA_Admin_Install.tex
+++ b/doc/latex/CTA_Admin_Install.tex
@@ -267,7 +267,7 @@ To delete an existing database schema:
 # cta-catalogue-schema-drop /etc/cta/cta_catalogue_db.conf
 \end{lstlisting}

-\section{Configure the CTA Front End}
+\section{Configure CTA Front End}
 \label{install_cta_configure_front_end}

 Create the CTA Front End configuration file \texttt{/etc/cta/cta-frontend.conf}. The ObjectStore Backend should point to
@@ -288,7 +288,7 @@ Create the CTA user:
 # useradd cta
 \end{lstlisting}

-\subsection{Configure CTA Front End Authentication}
+\subsection{CTA Front End Authentication}

 CTA will receive archive and retrieve requests from multiple EOS instances, one per User (Atlas, CMS, etc.) There will
 be a Simple Shared Secret (SSS) key for each EOS instance\footnote{In principle, each instance can have a unique key. In
@@ -350,7 +350,7 @@ xrootd.seclib libXrdSec.so

 # Protocol specification
 # The xroot server process needs to be able to read the keytab file
-sec.protocol krb5 /etc/cta-frontend.keytab cta/cta-frontend@CERN.CH
+sec.protocol krb5 /etc/krb5.keytab.cta cta/cta-frontend@TEST.CTA
 sec.protocol sss -s /etc/ctafrontend_server_sss.keytab -c /etc/ctafrontend_client_sss.keytab

 # Only Kerberos 5 and sss are allowed
@@ -366,26 +366,19 @@ xrootd.async off
 # Use a port other than 1094, already used by EOS xroot server
 xrd.port 10955
 \end{lstlisting}
+\texttt{/etc/krb5.keytab.cta} is a copy of \texttt{/etc/krb5.keytab} (If this file does not exist, see
+Appendix~\ref{install_eos_create_kerberos_keytab} for details of how to create it). It must be owned by the user/group
+which will run the CTA Front End XRoot daemon.

-\begin{alertbox}
-How is /etc/cta-frontend.keytab created?
-
-In one of the other scripts, this keytab has a different name: /etc/krb5.keytab.cta
-\end{alertbox}
-\begin{alertbox}
-The CTA Command Line Interface needs to speak to a \emph{xroot} server which uses the CTA plugin to interpret and execute
-the commands sent by the user. All the information needed by the \emph{xroot} server is contained within a configuration
-file which is currently called \texttt{xrd.cf.cta}.
-
-All this will work fine provided that you have a file called \texttt{/etc/krb5.keytab.cta} which is a copy of your keytab
-file (\texttt{/etc/krb5.keytab}). \texttt{/etc/krb5.keytab.cta} must be owned by the user.group that will run the
-\emph{xroot} server process. If you don't have a keytab file you may get one using \texttt{cern-get-keytab} (for CERN
-supported Linux systems) or \texttt{msktutil} (for other systems), as explained in:
+It should be created as follows:
+\begin{lstlisting}
+# cd /etc
+# rm -f krb5.keytab.cta
+# cp krb5.keytab krb5.keytab.cta
+# chown cta:cta krb5.keytab.cta
+# echo -e "read_kt krb5.keytab.cta\nlist\nquit" | ktutil
+\end{lstlisting}

-\begin{verbatim}
-  http://linux.web.cern.ch/linux/docs/kerberos-access.shtml
-\end{verbatim}
-\end{alertbox}
 \begin{alertbox}
 Why do we have some XRoot configuration files under \texttt{/etc/xrd.cf.<daemon>} and some under \texttt{/etc/xrootd/<daemon>.cfg}?
 \end{alertbox}