[OpenAFS] Authenticating against krb5-only KDC (active directory)

Derek Atkins derek@ihtfp.com
28 Feb 2002 10:57:22 -0500


Jacob Gorm Hansen <jg@ioi.dk> writes:

> On Thu, Feb 28, 2002 at 10:34:04AM -0500, Derek Atkins wrote:
> > There are a number of ways to do this.  You could just use your M$-KDC
> > as a regular K5 KDC and use krb524 to obtain AFS tokens, or you could
> > have a process similar to the above where the 'v4 AFS key' is separate
> > from the 'M$ key'.
> 
> Would that work when clients where on Win2k machines as well?

Sure.  You just need to compile aklog (or the equivalent)

> > Basically, you use 'aklog' to authenticate to the 524 daemon, and that
> > gives you a 'token' which you stuff into your client to authenticate.
> 
> Has anyone been succesfull in running 524d on a windows machine, or do I need
> to run it on linux? It worries me that the linux machine might end up being
> single point of failure.
> 
> > You don't need native k5 in AFS for this to work.
> 
> Still, native k5 would be wonderful. But I have no idea how hard that would be
> to accomplish. I recently implemented k5 (by means of GSSAPI) in Intermezzo's
> perl cache manager (which was abandoned just as the work was completed :-(),
> and that was fairly simple.

Native v5 in AFS is going to be a LOT of work.  In particular, it's
going to require a completely new RX security framework.  I don't
expect this to happen any time soon.  The problem is that way too much
of RX/RXKAD depend on 1-DES and v4.

> > -derek
> 
> Best,
> Jacob

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com