[OpenAFS] Kerberos with AFS

Patrick J. LoPresti patl@curl.com
25 May 2001 12:34:55 -0400


Thanks for the answers!  I have some more questions; I hope answering
them will not be too much of a burden.

Some background, in case it affects the answers: We are considering
deploying AFS here in a "from scratch" installation.  We use Red Hat
Linux, so MIT krb5 seems the logical choice for a Kerberos server
because Red Hat provides RPMs for it.  I am trying to get a grip on
what other tools I will need and what pitfalls I am likely to see.

Derrick J Brashear <shadow@dementia.org> writes:

> > 3. What is the principle of operation of an integrated krb5/afs
> > installation?
> 
> Treat it like a Kerberos realm, except it will have a key for
> afs/cell.name or afs which is put in the KeyFiles of all your AFS servers

Could you elaborate a bit?  Once I have created a krb5 afs/cell.name
principal, how do I get it into an AFS KeyFile?  That is, what tool do
I use, where does it come from...

> > 4. What implementation of Kerberos to use (Heimdal/MIT/W2K)? What's the
> > difference?
> 
> Which one depends who you ask and what your requirements are. The only
> reason to use the Win2K one would be if you were using Active Directory
> and the like, IMO.

Could you briefly describe the differences as far as AFS is concerned?

> > 5. What is aklog/afslog ? Where are they derived from and what do they do?
> > 11. How to build openssh to forward both krb5 and afs tickets?
> I don't know the answer to this, but I think right now the answer is "you
> can't"

But it should be possible in pinciple, right?

What would the right approach be?  To forward just the v5 tickets and
then use them to obtain tokens, or to forward both?  Is there a place
where I can find sample code for doing forwarding of tickets and
tokens?  (We have some custom apps which we might need to modify to
perform such forwarding.)

 - Pat