[OpenAFS] openafs and kerberos5

Derrick J Brashear shadow@dementia.org
Mon, 9 Apr 2001 12:13:11 -0400 (EDT) 

On Mon, 9 Apr 2001, Forrest D. Whitcher wrote:

> David,
> 
> I've been wrestling with this for several weeks, and have gotten
> a good bit of help from Ken Hornstein who put together the most
> recent (to my knowlege) set of migration tools for this.

I suppose I'm an anomaly since I have a strong background in both AFS and
Kerberos (both v4 and v5). I set it up, switched off my kaserver, and it
"just worked".

> Results so far are that I was able to get an appearantly successful
> build of the essential tools (asetkey and aklog). However I've as
> yet been unable to make it work in-practice.
> 
> (!!!! btw HELP! :- ... the latest I've been able to figure out is
> that when I obtain an afs ticket from the k5 KDC (requires krb524d
> be running to translate tickets).. the AFS key that is granted is
> listed in the K5 tickets !!!??? might explain why afs is complaining
> when I try to use the ticket????)

Your punctuation keys seem to be sticking. aklog (if you use Ken's v5
aklog) takes the ticket from the v5 cred cache, makes a token, and sticks
it in the kernel. 

Anyhow, if you're converting an existing cell, and setting up krb5 for the
first time, I recommend Heimdal for your krb5 servers, as it has tools to
make the transition really, really easy. hprop (like kprop, but
Heimdal-specific) can be used to convert a kaserver database directly to a
v5 database. Basically:
-Follow the instructions to configure heimdal and initialize a realm,
including master key setup.
-Then, immediately run /path/to/hprop --source=kaserver -c your.cell -n|/path/to/hpropd -n
-If you want to keep using klog and not need to worry about aklog,
configure heimdal's KDC to listen on the kaserver port (from krb5.conf:)
[kdc]
enable-kaserver = true
afs-cell = your.cell
-If you want to use 524 translation service with an aklog that does 524 to
get an afs ticket:
[kdc]
enable-524 = true
v4-realm = YOUR.REALM

-Wise to configure kadmin to generate afs keys when passwords get changed
so klog stays happy, *but* klog can also do des string to key, so
generating v4-style keys is sufficient. The former would be:
[kadmin]
default_keys = afs3 v5 
afs-cell = your.cell

The latter:
[kadmin]
default_keys = v4 v5 
v4-realm = YOUR.REALM

Or collect all 3:
default_keys = v4 v5 afs3
afs-cell = your.cell
v4-realm = YOUR.REALM

To set up AFS in an existing krb5 realm:
-Create the key for afs or afs.cell.name, making sure there's a v4-salted
key generated for it. 
-If you use heimdal, you can add the key to your keytab using ktutil, then
ktutil copy /etc/krb5.keytab AFSKEYFILE:/usr/afs/etc/KeyFile
and it should copy only the afs key from the keytab
-If you use MIT krb5, it's harder. You'll need a krb5-aware asetkey, and
to ktutil add the afs key, then run asetkey. 
-At this point clients should be able to run aklog5 and get a useful token
for AFS.

For bootstrapping a new MIT krb5 realm, hopefully someone else can give a
step-by-step.

-D