[OpenAFS] Authenticating against krb5-only KDC (active directory)

Douglas E. Engert deengert@anl.gov
Mon, 18 Mar 2002 09:57:42 -0600

I see you have received many comments on this, but we are doing this now.
I can use K5 on W2k to authenticate, then a krb524d running on a unix
box to convert to a K4/AFS token. 

This requires two sets of mode. The krb524d uses two sets of keys. It decrypts
with the K5 key from W2K, ten encrypts the K4/AFS token with the key used by
AFS in the KeyFile. 

Since the krb524d is not run on the same machine as the KDC, the client needs
to be able to find it. This is done using a krb524d =  parameter in the [realms]
section of the krb5.conf file. 

A change we are working on is dropping krb524d and aklog all together, and 
replacing them with a gssklog. This would authenticate using GSSAPI, and returns a
K4/AFS token. THe gssklogd would run on the AFS servers. This could then either 
use the MIT gssapi, or on Windows, could use  Martin Rex's GSSAPI over SSPI. i.e. 
the gssklog has no Kerberos source code, using your favorite compiled GSSAPI libs.    

See ftp://achilles.ctd.anl.gov/pub/kerberos.v5/ 
for MIT mods for the aklog, and krb524d

for the gssklog. 

Jacob Gorm Hansen wrote:
> I know Active Directory is not anyone's favorite, not mine either, but I need
> to be able to authenticate against it. Currently, I've got just one AFS server.
> running debian linux.
> Does anyone have a recipe for doing so? I read somewhere that krb5 was being
> worked on for OpenAFS, I suppose that would make things easier. What is the
> status of that?
> Best,
> Jacob
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444