[OpenAFS] Kerberos with AFS

Derrick J Brashear shadow@dementia.org
Mon, 21 May 2001 12:26:20 -0400 (EDT)

Someone want to work on such a document?

> 1. Why to use Kerberos with AFS? 

Kerberos v5 is a standards-track, multiply-implemented, cross platform
system with generic usefulness. AFS authentication is not.

> 2. Why not to use AFS for authentication?

If it's AFS or Kerberos v4, use AFS. The actual answer to this depends who
you ask, and what you mean.

> 3. What is the principle of operation of an integrated krb5/afs
> installation?

Treat it like a Kerberos realm, except it will have a key for
afs/cell.name or afs which is put in the KeyFiles of all your AFS servers

> 4. What implementation of Kerberos to use (Heimdal/MIT/W2K)? What's the
> difference?

Which one depends who you ask and what your requirements are. The only
reason to use the Win2K one would be if you were using Active Directory
and the like, IMO.

> 5. What is aklog/afslog ? Where are they derived from and what do they do?

Program which uses your Kerberos ticket granting ticket to get a service
ticket for AFS, convert it to a token, and stuff it into your client's
kernel so AFS knows you have authentication.

> 6. What is the krbafs library?

A library to ease getting an AFS ticket and converting it to a token

> 7. What special configuration, maybe patches does kerberos need for AFS
> integration? (key types...)

Patches: with modern MIT or Heimdal, none. The rest depends if you're
converting from an old kaserver database or starting a new cell. If you're
starting a new cell, merely supporting v4-salted keys is sufficient; If
you're converting an old database you'll need to configure to use afs3
salted keys with an appropriate cell name.

> 8. Then what is the klog.krb coming with afs?
Writes out a kerberos v4 tgt in addition to a token

> 9. There is a PAM module pam_krb5afs.so. What does it do then?
> 10. How do I integrate all these with PAM?
Very carefully, and sometimes not at all, depending on how you stack the
PAM modules you can easily screw yourself. The problem begins when an
earlier "success" short-circuits the process and AFS modules don't get
called at all. However, depending what you want to do there are different
approaches which are "correct".

> 11. How to build openssh to forward both krb5 and afs tickets?
I don't know the answer to this, but I think right now the answer is "you

> 12. How does the krb5 ftp, telnet can support afs? (ftp-ing in an afs home
> directory)

The one in Heimdal calls the krbafs library. I don't think the one in MIT
supports AFS. I may be wrong about that.

> 13. How to administer users in the integrated environment? (still need
> pts!!!)

Yes, you still need a pts entity per user, and to manage whatever pts
groups you're using to do access control in your cell.

> 14. How to distribute the user/group information (nss_ldap, radius and other
> stuff)

This one doesn't even belong in an AFS document, pointers to other
documents which will actually be updated is better.