[OpenAFS] MIT krb5 w/OpenAFS

John Berninger John_Berninger@ncsu.edu
Wed, 1 Aug 2001 14:38:52 -0400


I've successfully gotten Krb5 and OpenAFS 1.0.4 to play together nicely,
so I can give you some ideas on what I did, as well as what I found out
when trying this.

        First, the Kerberos realm name and AFS cell name must eb the
same for what you're trying to do.  With Krb5, the realm name gets
salted in as part of the key, and the AFS principle is based on the cell
name, so they've got to be the same.  At least, I've never heard of
anyone getting OAFS and Krb5 talking nicely with different realm and
cell names - if this is incorrect, I'm sure someone will correct me.  :)

        Once you have your Krb realm set up and functional and your AFS
cell functional, the steps to get the two talking are fairly well
documented in the krb5 migration kit (mentioned in various places in
this list's archives).  The only gotcha's are due to changes in
behaviors since the kit was written, so instead of using `kadmin' to
manipulate the realm database, you have to use `kadmin.local' with the
`-e des-cbc-crc:afs3' option, to specify a key with the AFSv3 salt.
Other salts may or may not work, this is the first "-e" option I tried,
and since it worked, I didn't go any further.

        Other than those things, the documentation in the migration kit
is (in my experience) completely accurate, and when followed presented
me with no problems.

On Wed, 01 Aug 2001, J. Maynard Gelinas wrote:

> 
>   Hello,
> 
>   I've looked through the archived message lists, read the MIT Kerberos
> and grand.central.org AFS FAQ, read Joe Jackson's page regarding
> Kerberos/AFS integration, etc etc etc. But I'm having a very hard time
> figuring out what documentation and tools are necessary given that the
> documentation assumes a prior version of Kerberos 5.
> 
>   Here's where I'm at:
> 
>   I've got the client software running properly. I can set the realm to
> the MIT athena kerberos servers, authenticate, generate a KRB4 ticket, and
> get the MIT aklog to generate an AFS authentication token for my test
> client. So I know that works. However, I want to create my own realm and
> set up a departmental AFS cell. I have a test kerberos server running
> (behind a NAT/Firewall for now), I have the client able to authenticate
> against the server, but for the life of me I can't figure out how to
> generate a proper key for the afs principle to get client side afs
> authentication going.
> 
>   Given the changes in MIT Kerberos, could someone list what parts of this
> documentation are relevant? Just what do I have to do? Do I still need
> ext_srvtab and asetkey? Can someone point me to a set of step by step
> instructions?
> 
>   BTW: running RH7.x Linux, modern kernel, Kerberos-1.2.2, OpenAFS-1.0.4a.
> However, I've found the kernel modules in the RPMS all seem to have symbol
> conflicts when loading, so I've built my own. Works against the athena AFS
> servers, so I'm assuming it ought to work once I get my cell functioning.
> 
> TIA,
> --Maynard
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
Thank you,
John Berninger

Systems Administrator		John_Berninger@ncsu.edu
Department of Mathematics	Box 8205, Harrelson Hall
NC State University		Raleigh, NC 27695
Phone:  (919)515-6315		Fax:	(919)515-3798

GPG Key ID: A8C1D45C
        Fingerprint: B1BB 90CB 5314 3113 CF22  66AE 822D 42A8 A8C1 D45C
--