[OpenAFS] OpenAFS using win2k DC for kerberos 5 authentication
Douglas E. Engert
deengert@anl.gov
Fri, 08 Feb 2002 08:13:47 -0600
Dave Bailey wrote:
>
> Hi all,
>
> We're looking at using Win2k active directory to centralise out account
> management. My question is, can the win2k domain controller (acting as a
> kerberos 5 KDC) be used to get AFS tokens in an analagous way to using MIT
> krb5? Is it just a case of getting a working krb524d equivalent to run on
> the domain controller or is it more subtle than that?
Sorry for the late reply. We are doing this now. The krb524d is running
on a Unix system. The krb524d uses two keys, one for K5 and one from a copy
copy of the KeyFile. This means the keys don't have to be the same kvno,
or even the same etype and can be changed independently. We have been using
this mod for years.
Since the krb524d is not being run on the same machine as the KDC, we added
code to to the client side of the krb524 lib to look for a krb524d=location
in the krb5.conf file. ( A better choice would be to use the AFS servers.)
Another option we are testing is called GSIKLOG which uses the GSSAPI to
authenticate to a service running on the AFS servers, and returns a ticket.
Functionally this is equivalent to above for AFS only. The nice part
is there are no Kerberos modifications or source needed and could work
with other GSSAPI implementations, both Kerberos based or non-Kerberos based.
>
> Cheers,
> Dave
> __ _
> David Bailey .-.' `; `-._ __ _
> Bristol University (_, .-:' `; `-._
> Email: D.Bailey@Bristol.ac.uk ,'o"( (_, )
> Tel: +44 117 9546879 (__,-' ,'o"( )>
> Fax: +44 117 9255624 ( (__,-' )
> `-'._.--._( )
> ||| |||`-'._.--._.-'
> ||| |||
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444