[OpenAFS] Authenticating against krb5-only KDC (active directory)

Douglas E. Engert deengert@anl.gov
Thu, 21 Mar 2002 19:44:05 -0600


Jacob Gorm Hansen wrote:
> 
> On Mon, Mar 18, 2002 at 09:57:42AM -0600, Douglas E. Engert wrote:
> > I see you have received many comments on this, but we are doing this now.
> > I can use K5 on W2k to authenticate, then a krb524d running on a unix
> > box to convert to a K4/AFS token.
> >
> > This requires two sets of mode. The krb524d uses two sets of keys. It
> > decrypts with the K5 key from W2K, ten encrypts the K4/AFS token with the key
> > used by AFS in the KeyFile.
> 
> I suppose this means krb524d must share knowledge of the key used to encrypt
> the K5 token. How, in practice, does one share such a key with active
> directory?

You get a key from the W2K much like you get a key for a host. Its just
for afs/cell@REALM. The MS documents talk about how to do thisfor a host. 
The process of adding the afs/cell@realm can output a keytab file, or
it can print the key on the screen. 

You can then use the MIT ktutil addent -key to add this to a keytab file. 

> 
> > A change we are working on is dropping krb524d and aklog all together, and
> > replacing them with a gssklog. This would authenticate using GSSAPI, and
> > returns a K4/AFS token. The gssklogd would run on the AFS servers. This could
> > then either use the MIT gssapi, or on Windows, could use  Martin Rex's GSSAPI
> > over SSPI. i.e.  the gssklog has no Kerberos source code, using your favorite
> > compiled GSSAPI libs.
> 
> This sounds much cleaner. How far are you from making this work?

We have been using this against a DCE server since 1995, and against a W2K 
server for about a year. 

> 
> > See ftp://achilles.ctd.anl.gov/pub/kerberos.v5/
> > for MIT mods for the aklog, and krb524d
> >
> > and
> >  ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar
> > for the gssklog.
> 
> I will, thanks,
> Jacob

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444