[OpenAFS-devel] timeframe for krb5 + openafs w/o krb524d?
Sam Hartman
hartmans@mit.edu
04 Jan 2001 09:56:02 -0500
>>>>> "Nathan" == Nathan Neulinger <nneul@umr.edu> writes:
Nathan> Jeffrey Hutzelman wrote:
>> On Wed, 3 Jan 2001, Neulinger, Nathan R. wrote:
>>
>> > Any idea on when we might see openafs kernel and fileserver
>> support that > could use krb5 tickets directly, eliminating the
>> need for krb524d? > > The reason I ask is, if it can be made
>> to use krb5 tickets directly without > conversion, then a
>> non-MIT KDC can be used as your authentication source. >
>> (Yeah, you know what one I'm talking about... not my choice...)
>> > > Alternatively, how hard would it be to implement a krb524d
>> that operated > against a different kdc. Presuming it could be
>> given the password for the > krbtgt and afs principals?
>>
>> It will be a while yet. However, you can do what you want with
>> the standard krb524d that ships with MIT krb5. That daemon can
>> be run in a single-service mode, where you give it a copy of
>> the key for the service principal whose keys it will be able to
>> convert. It should be downright trivial to use that in
>> combination with Ken Hornstein's krb5 aklog to get usable AFS
>> tickets with a V4-only KDC.
Nathan> Ah, cool. So it should only need the afs@REALM key?
Yes.
Nathan> Now, the question is - given this:
Nathan> Principal: afs@UMR.EDU Number of keys: 1 Key: vno 0, DES
Nathan> cbc mode with CRC-32, AFS version 3
Nathan> but all my users are:
Nathan> Principal: nneul@UMR.EDU Number of keys: 2 Key: vno 8, DES
Nathan> cbc mode with CRC-32, no salt Key: vno 8, DES cbc mode
Nathan> with CRC-32, Version 4
Nathan> is it safe to change the password of the AFS principal and
Nathan> use the Ken's setkey program to update it on the
Nathan> fileservers, or does that key need to use the AFS version
Nathan> 3 salt? When we did the krb5 migration, we never changed
Nathan> the keys on our fileservers - we didn't need to.
If you ktadd it and use asetkey all will be fine.
Nathan> And, I believe this came up before for other issues - is
Nathan> there a straightforward way of creating a keytab without
N Nathan> changing the password for a principal?
No. See long flamewar on krbdev when the OV kadmin stuff was first
being integrated. I failed to convince people this would be a useful
feature, or at least that it was worth implementing.
This should probably move to kerberos@mit.edu or openafs-info; it is
neither development nor particularly openafs.