[OpenAFS] Kerberos with AFS

Derrick J Brashear shadow@dementia.org
Sun, 27 May 2001 14:51:46 -0400 (EDT)

On 25 May 2001, Patrick J. LoPresti wrote:

> Derrick J Brashear <shadow@dementia.org> writes:
> > I read openafs-info, you don't need to mail it and me.
> The approval process would delay my message for an indeterminate
> amount of time since I read the list via a gateway.  Sorry.

That's what the vacation option is for; you can subscribe, get no mail,
and still be able to post.

> > On 25 May 2001, Patrick J. LoPresti wrote:
> >
> > > Could you briefly describe the differences as far as AFS is concerned?
> > 
> > Well, since you're asking me, I have to ask what you mean. Just
> > differences in the KDC? More than that? How much more?
> I mean, what are the differences from the point of view of someone
> rolling out AFS for the first time.  I am particularly curious about
> Heimdal vs. MIT Kerberos.  I am considering using MIT Kerberos because
> Red Hat provides nice precompiled packages, and I am wondering whether
> I will wish I had used Heimdal.  (My initial interest in Kerberos is
> to support AFS.)

Heimdal has AFS-supporting tools integrated with it rather than as
add-ons, and that's probably the chief benefit to you.

> > Only a Win2K KDC can give you the "extras" Microsoft wants, because
> > they promised to release information about what the extras were, and
> > followed up by releasing a document with a license that basically
> > precludes you from doing anything with it.
> Yeah, I know.  I do need to integrate Windows clients into the
> picture, and "single sign on" would be nice, but I do not want to
> trust a Windows box as the KDC.

You too, huh?

> > > What would the right approach be?  To forward just the v5 tickets and
> > > then use them to obtain tokens, or to forward both?  Is there a place
> > > where I can find sample code for doing forwarding of tickets and
> > > tokens?  (We have some custom apps which we might need to modify to
> > > perform such forwarding.)
> > 
> > The right approach would be to let the proposals on the table shake out
> > and use something that's standardized instead of having another
> > implementation which won't interoperate, but I suspect that's not the
> > answer you're after.
> That is not an option because there is nothing "standardized" to do
> what I need (as far as I know).  The application is the Berkeley
> "customs" suite, which we use to perform parallel builds with a
> customs-enhanced GNU make.  It works well, but to use it in an AFS
> environment will require forwarding the user's AFS credentials to the
> machines participating in the build.
> So I ask again: What is the right approach for forwarding AFS
> credentials in a Kerberos v5 environment?  And where can I find
> examples of code for performing such forwarding?

The right answer is to use a forwarded Kerberos v5 tgt and get an AFS
credential on the remote machine. Telnet also has code to do it. My answer
as far as SSH is still going to be the same, but I was hoping the relevant
someone(s) would comment on the state of relevant standards-process
documents, and from the looks of things they have not yet.