[OpenAFS] When Using Kerberos5 is klog necessary?

Derek Atkins warlord@MIT.EDU
Thu, 01 Jan 2004 14:09:59 -0500


Jeffrey Altman <jaltman@columbia.edu> writes:

> On Windows, the ticket manager (Leash) already performs the following logic:
>
>    1. obtain a k5 tgt for REALM
>    2. obtain default AFS cell
>    3. attempt to obtain a k5 afs/cell@REALM or afs/cell@CELL or afs@CELL
>    4. if successful, perform krb524 on ticket to get k4 afs ticket and
>       munge into AFS token
>
> This works fine for one cell.  But what if you need to obtain tokens
> for multiple cells
> using the same tgt?  The question is how and where to specify that?
>
> Some MIT users for example may require tokens for both the
> athena.mit.edu and the media-lab.mit.edu cells which they could obtain
> using krb5 cross-realm with their ATHENA.MIT.EDU tgt.  I thought this
> is the problem which we were attempting to solve.

There are three things that I think MIT users might want to do once they
have Athena kerberos tickets (and AFS tokens):

1) authenticate to an AFS cell that uses the same kerberos realm,
   e.g. sipb.mit.edu or dev.mit.edu
2) authenticate to an AFS cell that uses cross-realm, e.g. andrew.cmu.edu
   or media-lab.mit.edu
3) authenticate to an AFS cell that uses a different kerberos realm completely,
   e.g. transarc.com

Generally, #1 and #2 work by just running "aklog" and that has the
magic to obtain the proper afs service ticket and convert it into a
token.  #3 generally requires a second Krb5 Credential Cache.

I think the question is: what should the OpenAFS-1.4 authentication
model be, and what should it assume?  Do we want to have a closer tie
to krb5, and if so what's the migration path for existing clients to
the new auth model?

> - Jeff

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available