[OpenAFS] Kerberos with AFS

Patrick J. LoPresti patl@curl.com
25 May 2001 16:11:56 -0400

Derrick J Brashear <shadow@dementia.org> writes:

> I read openafs-info, you don't need to mail it and me.

The approval process would delay my message for an indeterminate
amount of time since I read the list via a gateway.  Sorry.

> On 25 May 2001, Patrick J. LoPresti wrote:
> > Could you briefly describe the differences as far as AFS is concerned?
> Well, since you're asking me, I have to ask what you mean. Just
> differences in the KDC? More than that? How much more?

I mean, what are the differences from the point of view of someone
rolling out AFS for the first time.  I am particularly curious about
Heimdal vs. MIT Kerberos.  I am considering using MIT Kerberos because
Red Hat provides nice precompiled packages, and I am wondering whether
I will wish I had used Heimdal.  (My initial interest in Kerberos is
to support AFS.)

> Only a Win2K KDC can give you the "extras" Microsoft wants, because
> they promised to release information about what the extras were, and
> followed up by releasing a document with a license that basically
> precludes you from doing anything with it.

Yeah, I know.  I do need to integrate Windows clients into the
picture, and "single sign on" would be nice, but I do not want to
trust a Windows box as the KDC.

> > What would the right approach be?  To forward just the v5 tickets and
> > then use them to obtain tokens, or to forward both?  Is there a place
> > where I can find sample code for doing forwarding of tickets and
> > tokens?  (We have some custom apps which we might need to modify to
> > perform such forwarding.)
> The right approach would be to let the proposals on the table shake out
> and use something that's standardized instead of having another
> implementation which won't interoperate, but I suspect that's not the
> answer you're after.

That is not an option because there is nothing "standardized" to do
what I need (as far as I know).  The application is the Berkeley
"customs" suite, which we use to perform parallel builds with a
customs-enhanced GNU make.  It works well, but to use it in an AFS
environment will require forwarding the user's AFS credentials to the
machines participating in the build.

So I ask again: What is the right approach for forwarding AFS
credentials in a Kerberos v5 environment?  And where can I find
examples of code for performing such forwarding?


 - Pat