[OpenAFS] Kerberos4 needed for windows logon?

Jeffrey Altman jaltman@secure-endpoints.com
Sun, 03 Oct 2010 10:30:02 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

The Windows OpenAFS client does not support the rx based kaserver
protocol.  It only supports the Kerberos v4 protocol which was also
supported by kaserver.  For Kerberos v5 support, the users must install
a Kerberos v5 implementation.  The only one supported at present is MIT
Kerberos for Windows.  Heimdal support will be available shortly.

Jeffrey Altman

On 8/29/2010 12:36 PM, Bo Nygaard Bai wrote:
> I have recently migrated our old AFS cell from kaserver to Heimdal with=

> kaserver emulation. Yes, I know! This was probably the last cell to do
> this.
> Basically i did this:
>  * Make a copy of the kaservers database
>  * Import the database into Heimdal (using hprop | hpropd from the FAQ)=

>  * Install Heimdal slave KDCs on all AFS database servers
>  * Enable kaserver emulation on the Heimdal slave KDCs
> This works perfectly for all our Unix variants. But existing Windows
> clients could not authenticate unless I enable kerberos 4 support and
> diable preauthentication for all users.
> Heimdal log from Unix klog:
> Aug 29 18:27:05 afsdb1 kdc[12185]: AS-REQ (kaserver)
> esbensen.@IES.AUC.DK from IPv4: for
> Aug 29 18:27:05 afsdb1 kdc[12185]: Lookup esbensen@IES.AUC.DK succeeded=

> Aug 29 18:27:05 afsdb1 kdc[12185]: Lookup krbtgt/IES.AUC.DK@IES.AUC.DK
> succeeded
> Aug 29 18:27:05 afsdb1 kdc[12185]: sending 172 bytes to IPv4:130.225.51=
> Heimdal log from Windows OpenAFS klient:
> Aug 29 18:32:18 afsdb3 kdc[6647]: AS-REQ (krb4) bai.@IES.AUC.DK from
> IPv4: for afs.@IES.AUC.DK
> Aug 29 18:32:18 afsdb3 kdc[6647]: Lookup bai@IES.AUC.DK succeeded
> Aug 29 18:32:18 afsdb3 kdc[6647]: Lookup afs@IES.AUC.DK succeeded
> Aug 29 18:32:18 afsdb3 kdc[6647]: sending 102 bytes to IPv4:
> It feels like a step backwards on security from using the kaserver.
> Does the openafs client for Windows only work with kerberos4?
> Do I really need to diable preauthentication until all clients have
> switched to use the MIT tools?
> /Bo Bai
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)