[OpenAFS-devel] timeframe for krb5 + openafs w/o krb524d?

Nathan Neulinger nneul@umr.edu
Thu, 04 Jan 2001 07:22:19 -0600 

Jeffrey Hutzelman wrote:
> 
> On Wed, 3 Jan 2001, Neulinger, Nathan R. wrote:
> 
> > Any idea on when we might see openafs kernel and fileserver support that
> > could use krb5 tickets directly, eliminating the need for krb524d?
> >
> > The reason I ask is, if it can be made to use krb5 tickets directly without
> > conversion, then a non-MIT KDC can be used as your authentication source.
> > (Yeah, you know what one I'm talking about... not my choice...)
> >
> > Alternatively, how hard would it be to implement a krb524d that operated
> > against a different kdc. Presuming it could be given the password for the
> > krbtgt and afs principals?
> 
> It will be a while yet.  However, you can do what you want with the
> standard krb524d that ships with MIT krb5.  That daemon can be run in a
> single-service mode, where you give it a copy of the key for the service
> principal whose keys it will be able to convert.  It should be downright
> trivial to use that in combination with Ken Hornstein's krb5 aklog to get
> usable AFS tickets with a V4-only KDC.

Ah, cool. So it should only need the afs@REALM key?

Now, the question is - given this:

Principal: afs@UMR.EDU
Number of keys: 1
Key: vno 0, DES cbc mode with CRC-32, AFS version 3

but all my users are:

Principal: nneul@UMR.EDU
Number of keys: 2
Key: vno 8, DES cbc mode with CRC-32, no salt
Key: vno 8, DES cbc mode with CRC-32, Version 4

is it safe to change the password of the AFS principal and use the Ken's
setkey program to update it on the fileservers, or does that key need to
use the AFS version 3 salt? When we did the krb5 migration, we never
changed the keys on our fileservers - we didn't need to. 

And, I believe this came up before for other issues - is there a
straightforward way of creating a keytab without changing the password
for a principal?

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
CIS - Systems Programming                Fax: (573) 341-4216