[OpenAFS-devel] timeframe for krb5 + openafs w/o krb524d?

Sam Hartman hartmans@mit.edu
04 Jan 2001 09:56:02 -0500


>>>>> "Nathan" == Nathan Neulinger <nneul@umr.edu> writes:

    Nathan> Jeffrey Hutzelman wrote:
    >>  On Wed, 3 Jan 2001, Neulinger, Nathan R. wrote:
    >> 
    >> > Any idea on when we might see openafs kernel and fileserver
    >> support that > could use krb5 tickets directly, eliminating the
    >> need for krb524d?  > > The reason I ask is, if it can be made
    >> to use krb5 tickets directly without > conversion, then a
    >> non-MIT KDC can be used as your authentication source.  >
    >> (Yeah, you know what one I'm talking about... not my choice...)
    >> > > Alternatively, how hard would it be to implement a krb524d
    >> that operated > against a different kdc. Presuming it could be
    >> given the password for the > krbtgt and afs principals?
    >> 
    >> It will be a while yet.  However, you can do what you want with
    >> the standard krb524d that ships with MIT krb5.  That daemon can
    >> be run in a single-service mode, where you give it a copy of
    >> the key for the service principal whose keys it will be able to
    >> convert.  It should be downright trivial to use that in
    >> combination with Ken Hornstein's krb5 aklog to get usable AFS
    >> tickets with a V4-only KDC.

    Nathan> Ah, cool. So it should only need the afs@REALM key?

Yes.
    Nathan> Now, the question is - given this:

    Nathan> Principal: afs@UMR.EDU Number of keys: 1 Key: vno 0, DES
    Nathan> cbc mode with CRC-32, AFS version 3

    Nathan> but all my users are:

    Nathan> Principal: nneul@UMR.EDU Number of keys: 2 Key: vno 8, DES
    Nathan> cbc mode with CRC-32, no salt Key: vno 8, DES cbc mode
    Nathan> with CRC-32, Version 4

    Nathan> is it safe to change the password of the AFS principal and
    Nathan> use the Ken's setkey program to update it on the
    Nathan> fileservers, or does that key need to use the AFS version
    Nathan> 3 salt? When we did the krb5 migration, we never changed
    Nathan> the keys on our fileservers - we didn't need to.

If you ktadd it and use asetkey all will be fine.

    Nathan> And, I believe this came up before for other issues - is
    Nathan> there a straightforward way of creating a keytab without

N    Nathan> changing the password for a principal?

No.  See long flamewar on krbdev when the OV kadmin stuff was first
being integrated.  I failed to convince people this would be a useful
feature, or at least that it was worth implementing.

This should probably move to kerberos@mit.edu or openafs-info; it is
neither development nor particularly openafs.