[OpenAFS] Authenticating against krb5-only KDC (active directory)
Douglas E. Engert
deengert@anl.gov
Thu, 21 Mar 2002 19:54:44 -0600
Ben Poliakoff wrote:
>
> Hmm. The gsiklog project is pretty interesting. Potentially very
> graceful!
>
> I have a silly question though. Given that I'm working in a krb5
> context, what is the service name is gsiklogd expecting to find in the
> keytab file?
>
It would be afs/cell@k5realm
This was originally designed to work with the Globus project which uses
a GSSAPI mechanism built on top of SSL. But since it separates out the
authentication (gssapi) from the AFS token generation, it can work with
the Kerberos V5 GSSAPI. We have a couple of sites using this.
It should work with MIT, Hiemdal, or even Martin Rex's WIN32 GSSAPI over SSPI.
(I havenot triedall of these.)
> Ben
>
> * Douglas E. Engert <deengert@anl.gov> [020318 07:59]:
> > I see you have received many comments on this, but we are doing this now.
> > I can use K5 on W2k to authenticate, then a krb524d running on a unix
> > box to convert to a K4/AFS token.
> >
> > This requires two sets of mode. The krb524d uses two sets of keys. It decrypts
> > with the K5 key from W2K, ten encrypts the K4/AFS token with the key used by
> > AFS in the KeyFile.
> >
> > Since the krb524d is not run on the same machine as the KDC, the client needs
> > to be able to find it. This is done using a krb524d = parameter in the [realms]
> > section of the krb5.conf file.
> >
> > A change we are working on is dropping krb524d and aklog all together, and
> > replacing them with a gssklog. This would authenticate using GSSAPI, and returns a
> > K4/AFS token. THe gssklogd would run on the AFS servers. This could then either
> > use the MIT gssapi, or on Windows, could use Martin Rex's GSSAPI over SSPI. i.e.
> > the gssklog has no Kerberos source code, using your favorite compiled GSSAPI libs.
> >
> >
> > See ftp://achilles.ctd.anl.gov/pub/kerberos.v5/
> > for MIT mods for the aklog, and krb524d
> >
> > and
> > ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar
> > for the gssklog.
> >
> >
> > Jacob Gorm Hansen wrote:
> > >
> > > I know Active Directory is not anyone's favorite, not mine either, but I need
> > > to be able to authenticate against it. Currently, I've got just one AFS server.
> > > running debian linux.
> > >
> > > Does anyone have a recipe for doing so? I read somewhere that krb5 was being
> > > worked on for OpenAFS, I suppose that would make things easier. What is the
> > > status of that?
> > >
> > > Best,
> > > Jacob
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> >
> > Douglas E. Engert <DEEngert@anl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
> --
> ---------------------------------------------------------------------------
> Ben Poliakoff email: <benp@reed.edu>
> Reed College tel: (503)-788-6674
> Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html
> ---------------------------------------------------------------------------
> 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444