[OpenAFS] Questions about AFS security

[Derek Atkins]

"Patrick J. LoPresti" <patl@curl.com> writes:

> Ah, OK, that makes sense.  I was under the (mistaken) impression that
> krb524 was how v4 clients authenticated against a v5 server.  So now I
> take it that such clients talk to the KDC directly using some
> backwards-compatibility mode, and that I can disable that on the KDC
> if we have no v4 clients?

Nope, krb524d is how you obtain a v4 ticket from a v5 ticket.  You
_CAN_ use it to obtain a v4 TGT from a v5 TGT, but you can set it
up so that you have a v5 aklog that will obtain v5 tickets and then
use krb524d to convert them to v4 and stash them in the kernel.  In
other words, there are no v4 ops on the KDC.

If you have no _other_ v4 clients (e.g. zephyr?), you can safely turn
off v4 on your KDC and use a v5aklog (such as the one distributed in
the openafs-krb5 package).

> Also, I am still a tad confused on the Windows story.  I thought that
> the current OpenAFS Windows distribution installs a v4 klog, and hooks
> it in to the Windows logon process.  Is this not the case?

Hmm.. I don't know enough about the windows release to tell you what's
going on here, or what they distribute.  They may only distribute a
klog and not an aklog, but you can always build aklog for yourself to
use the v5 tickets and krb524d.

>  - Pat

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available