[OpenAFS] Authenticating against krb5-only KDC (active directory)

Jacob Gorm Hansen jg@ioi.dk
Mon, 18 Mar 2002 18:45:12 +0100

On Mon, Mar 18, 2002 at 09:57:42AM -0600, Douglas E. Engert wrote:
> I see you have received many comments on this, but we are doing this now.
> I can use K5 on W2k to authenticate, then a krb524d running on a unix
> box to convert to a K4/AFS token. 
> This requires two sets of mode. The krb524d uses two sets of keys. It
> decrypts with the K5 key from W2K, ten encrypts the K4/AFS token with the key
> used by AFS in the KeyFile. 

I suppose this means krb524d must share knowledge of the key used to encrypt
the K5 token. How, in practice, does one share such a key with active

> A change we are working on is dropping krb524d and aklog all together, and
> replacing them with a gssklog. This would authenticate using GSSAPI, and
> returns a K4/AFS token. The gssklogd would run on the AFS servers. This could
> then either use the MIT gssapi, or on Windows, could use  Martin Rex's GSSAPI
> over SSPI. i.e.  the gssklog has no Kerberos source code, using your favorite
> compiled GSSAPI libs.    

This sounds much cleaner. How far are you from making this work?

> See ftp://achilles.ctd.anl.gov/pub/kerberos.v5/ 
> for MIT mods for the aklog, and krb524d
> and 
>  ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar
> for the gssklog. 

I will, thanks,