[OpenAFS] Authenticating against krb5-only KDC (activedirectory)

Douglas E. Engert deengert@anl.gov
Fri, 22 Mar 2002 10:55:24 -0600

Holger Brueckner wrote:
> On Fri, 2002-03-22 at 02:54, Douglas E. Engert wrote:
> > It would be afs/cell@k5realm
> >
> > This was originally designed to work with the Globus project which uses
> > a GSSAPI mechanism built on top of SSL. But since it separates out the
> > authentication (gssapi) from the AFS token generation, it can work with
> > the Kerberos V5 GSSAPI. We have a couple of sites using this.
> >
> >
> > It should work with MIT, Hiemdal, or even Martin Rex's WIN32 GSSAPI over SSPI.
> > (I have not tried all of these.)
> [from the README]

The README assumes you are using the Grid Security Infrastructure, GSI,
which uses X509 certificates and SSL. 

When used with Kerberos, the server has a principal of afs/<afscell>@<k5realm>
and uses a keytab file.

The afsgrid-mapfile is a flat file that maps GSSAPI names to AFS users.
It use could be replaced with some other method for use with Kerberos,
such as an aname mapping. 

As I said, this should be easy to adapt to use with Kerberos. 

> The servers need a certificate, key, trusted certificates directory and
> afsgrid-mapfile. These default to:
>     /etc/grid-security/afscert.pem
>     /etc/grid-security/afskey.pem
>     /etc/grid-security/certificates
>     /etc/grid-security/afsgrid-mapfile
> The common name in the certificate must be "afs/cellname". If more
> then one server is being run in the cell on multiple AFS servers, they
> can
> share the certificate, key and afsgrid-mapfile. Thus for example the ANL
> cell is using this certificate:
> /C=US/O=Globus/O=Argonne National Laboratory/CN=afs/anl.gov
> You can get a certificate from the Globus CA, much as a gatekeeper
> certificate today.
> The afsgrid-mapfile allows the AFS admin to control access.
> The file has a line for each user, which consists of the
> certificate subject name, and the afs username, for example:
> "/O=Grid/O=Globus/OU=anl.gov/CN=John Doe" jdoe
> More then one username can be added, seperated by commas. This lets the
> user
> select which username to use when authenticating with the certificate
> listed.
> For example:
> "/O=Grid/O=Globus/OU=anl.gov/CN=John Doe" jdoe,gridadmin
> [readme end]
> so this means normally i should generate a certificate for each user ?!?
> well, this would make sense in a globus enviroment, but it's a lot of
> overhead for a "normal" afs site.

No, with Kerberos GSSAPI, there are no certificates, and no OpenSSL. 
The credentials used by the server is a keytab file. 

> btw. did anyone try to compile it on linux ?!?
> cya
> Holger Brückner


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444