[OpenAFS] Kerberos with AFS
Patrick J. LoPresti
25 May 2001 16:11:56 -0400
Derrick J Brashear <firstname.lastname@example.org> writes:
> I read openafs-info, you don't need to mail it and me.
The approval process would delay my message for an indeterminate
amount of time since I read the list via a gateway. Sorry.
> On 25 May 2001, Patrick J. LoPresti wrote:
> > Could you briefly describe the differences as far as AFS is concerned?
> Well, since you're asking me, I have to ask what you mean. Just
> differences in the KDC? More than that? How much more?
I mean, what are the differences from the point of view of someone
rolling out AFS for the first time. I am particularly curious about
Heimdal vs. MIT Kerberos. I am considering using MIT Kerberos because
Red Hat provides nice precompiled packages, and I am wondering whether
I will wish I had used Heimdal. (My initial interest in Kerberos is
to support AFS.)
> Only a Win2K KDC can give you the "extras" Microsoft wants, because
> they promised to release information about what the extras were, and
> followed up by releasing a document with a license that basically
> precludes you from doing anything with it.
Yeah, I know. I do need to integrate Windows clients into the
picture, and "single sign on" would be nice, but I do not want to
trust a Windows box as the KDC.
> > What would the right approach be? To forward just the v5 tickets and
> > then use them to obtain tokens, or to forward both? Is there a place
> > where I can find sample code for doing forwarding of tickets and
> > tokens? (We have some custom apps which we might need to modify to
> > perform such forwarding.)
> The right approach would be to let the proposals on the table shake out
> and use something that's standardized instead of having another
> implementation which won't interoperate, but I suspect that's not the
> answer you're after.
That is not an option because there is nothing "standardized" to do
what I need (as far as I know). The application is the Berkeley
"customs" suite, which we use to perform parallel builds with a
customs-enhanced GNU make. It works well, but to use it in an AFS
environment will require forwarding the user's AFS credentials to the
machines participating in the build.
So I ask again: What is the right approach for forwarding AFS
credentials in a Kerberos v5 environment? And where can I find
examples of code for performing such forwarding?