[OpenAFS] Kerberos with AFS

Derrick J Brashear shadow@dementia.org
Fri, 25 May 2001 12:59:14 -0400 (EDT) 

I read openafs-info, you don't need to mail it and me.

On 25 May 2001, Patrick J. LoPresti wrote:

> Some background, in case it affects the answers: We are considering
> deploying AFS here in a "from scratch" installation.  We use Red Hat
> Linux, so MIT krb5 seems the logical choice for a Kerberos server
> because Red Hat provides RPMs for it.  I am trying to get a grip on
> what other tools I will need and what pitfalls I am likely to see.
> 
> Derrick J Brashear <shadow@dementia.org> writes:
> 
> > > 3. What is the principle of operation of an integrated krb5/afs
> > > installation?
> > 
> > Treat it like a Kerberos realm, except it will have a key for
> > afs/cell.name or afs which is put in the KeyFiles of all your AFS servers
> 
> Could you elaborate a bit?  Once I have created a krb5 afs/cell.name
> principal, how do I get it into an AFS KeyFile?  That is, what tool do
> I use, where does it come from...

ktutil from Heimdal will do it, or Ken's migration toolkit has a tool to
do it which I've never used.

> > > 4. What implementation of Kerberos to use (Heimdal/MIT/W2K)? What's the
> > > difference?
> > 
> > Which one depends who you ask and what your requirements are. The only
> > reason to use the Win2K one would be if you were using Active Directory
> > and the like, IMO.
> 
> Could you briefly describe the differences as far as AFS is concerned?

Well, since you're asking me, I have to ask what you mean. Just
differences in the KDC? More than that? How much more? Only a Win2K KDC
can give you the "extras" Microsoft wants, because they promised to
release information about what the extras were, and followed up by
releasing a document with a license that basically precludes you from
doing anything with it. 

> > > 5. What is aklog/afslog ? Where are they derived from and what do
> they do? > > 11. How to build openssh to forward both krb5 and afs
> tickets? > I don't know the answer to this, but I think right now the
> answer is "you > can't"
> 
> But it should be possible in pinciple, right?
>
> What would the right approach be?  To forward just the v5 tickets and
> then use them to obtain tokens, or to forward both?  Is there a place
> where I can find sample code for doing forwarding of tickets and
> tokens?  (We have some custom apps which we might need to modify to
> perform such forwarding.)

The right approach would be to let the proposals on the table shake out
and use something that's standardized instead of having another
implementation which won't interoperate, but I suspect that's not the
answer you're after.

-D