[OpenAFS] MIT Kerberos V authentication with OpenAFS

Neulinger, Nathan nneul@umr.edu
Wed, 6 Mar 2002 11:25:12 -0600

Basicaly, you just point your krb5 clients at the ADS DC, add a afs@CELL
principle to the DC, extract it to a keytab, copy that keytab and a
KeyFile to someplace you want to run your krb524d service. You then run
aklog on the clients to cause them to get a afs tokens after getting
krb5 tickets.=20

Shouldn't need much special in krb5.conf. But I run with:

        default_realm =3D UMR.EDU
        default_tgs_enctypes =3D des-cbc-crc
        default_tkt_enctypes =3D des-cbc-crc

        UMR.EDU =3D {
                kdc =3D kdc.umr.edu
                admin_server =3D kdc.umr.edu
                default_domain =3D umr.edu
                krb524_server =3D krb524.umr.edu

        .umr.edu =3D UMR.EDU
        umr.edu =3D UMR.EDU

        default =3D SYSLOG:INFO:DAEMON

        autologin =3D true
        forward =3D true
        forwardable =3D true
        krb4_get_tickets =3D false
        krb4_convert =3D false
        krb5_run_aklog =3D true
        krb5_aklog_path =3D /home/local/krb5/bin/aklog
        check_quota =3D false
        retain_ccache =3D false
        afs_retain_token =3D false
        encrypt =3D true
        forceencrypt =3D false
        default_lifetime =3D "200d"
        UMR.EDU =3D {
                afs_retain_token =3D true

        xdm =3D {
                afs_retain_token =3D false

        ftpd =3D {
                afs_retain_token =3D false

-- Nathan

Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

> -----Original Message-----
> From: Holger Brueckner [mailto:lists@net-labs.de]=20
> Sent: Wednesday, March 06, 2002 11:15 AM
> To: Neulinger, Nathan
> Subject: RE: [OpenAFS] MIT Kerberos V authentication with OpenAFS
> On Mon, 2002-03-04 at 19:04, Neulinger, Nathan wrote:
> > I just set up a link to it as http://www.umr.edu/~krb5src/=20
> but I'm not
> > making any promises as to how long that will remain available.
> >=20
> > -- Nathan
> Hi thanks for the link ... now on to further questions ;)
> i read on the afs wiki that you are doing afs=20
> authentification against a
> w2k kdc. could you describe how that setup works ?!? this would be a
> good setup for a local school project here.
> i tried to setup your modified version of krb524d. straceing revealed
> that it got some strange paths compiled but ln is your friend ... the
> w2k kdc probably needs to be in mit compatibility mode. what=20
> do you have
> in krb5.conf ?!?
> thx for your help
> Holger=20
> =20