[OpenAFS] Authenticating against krb5-only KDC (active directory)

Jacob Gorm Hansen jg@ioi.dk
Thu, 28 Feb 2002 16:53:53 +0100


On Thu, Feb 28, 2002 at 10:34:04AM -0500, Derek Atkins wrote:
> There are a number of ways to do this.  You could just use your M$-KDC
> as a regular K5 KDC and use krb524 to obtain AFS tokens, or you could
> have a process similar to the above where the 'v4 AFS key' is separate
> from the 'M$ key'.

Would that work when clients where on Win2k machines as well?

> Basically, you use 'aklog' to authenticate to the 524 daemon, and that
> gives you a 'token' which you stuff into your client to authenticate.

Has anyone been succesfull in running 524d on a windows machine, or do I need
to run it on linux? It worries me that the linux machine might end up being
single point of failure.

> You don't need native k5 in AFS for this to work.

Still, native k5 would be wonderful. But I have no idea how hard that would be
to accomplish. I recently implemented k5 (by means of GSSAPI) in Intermezzo's
perl cache manager (which was abandoned just as the work was completed :-(),
and that was fairly simple.

> -derek

Best,
Jacob