[OpenAFS-devel] timeframe for krb5 + openafs w/o krb524d?
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 4 Jan 2001 00:10:33 -0500 (EST)
On Wed, 3 Jan 2001, Neulinger, Nathan R. wrote:
> Any idea on when we might see openafs kernel and fileserver support that
> could use krb5 tickets directly, eliminating the need for krb524d?
>
> The reason I ask is, if it can be made to use krb5 tickets directly without
> conversion, then a non-MIT KDC can be used as your authentication source.
> (Yeah, you know what one I'm talking about... not my choice...)
>
> Alternatively, how hard would it be to implement a krb524d that operated
> against a different kdc. Presuming it could be given the password for the
> krbtgt and afs principals?
It will be a while yet. However, you can do what you want with the
standard krb524d that ships with MIT krb5. That daemon can be run in a
single-service mode, where you give it a copy of the key for the service
principal whose keys it will be able to convert. It should be downright
trivial to use that in combination with Ken Hornstein's krb5 aklog to get
usable AFS tickets with a V4-only KDC.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA