[OpenAFS] Authenticating against krb5-only KDC (active directory)

Noel Burton-Krahn noel@burton-krahn.com
Thu, 21 Mar 2002 22:43:59 -0800 

Have either of you got the OpenAFS Win2k client to autrhenticate against a
UNIX krb5 server?  I've got the Win2k administrative tools (User Manager,
Server Manager) to work, but the Win2k AFS Client keeps saying "user not
found".

--Noel


-----Original Message-----
From: openafs-info-admin@openafs.org
[mailto:openafs-info-admin@openafs.org]On Behalf Of Douglas E. Engert
Sent: Thursday, March 21, 2002 5:55 PM
To: Ben Poliakoff; openafs-info@openafs.org
Subject: Re: [OpenAFS] Authenticating against krb5-only KDC (active
directory)




Ben Poliakoff wrote:
>
> Hmm.  The gsiklog project is pretty interesting.  Potentially very
> graceful!
>
> I have a silly question though.  Given that I'm working in a krb5
> context, what is the service name is gsiklogd expecting to find in the
> keytab file?
>

It would be afs/cell@k5realm

This was originally designed to work with the Globus project which uses
a GSSAPI mechanism built on top of SSL. But since it separates out the
authentication (gssapi) from the AFS token generation, it can work with
the Kerberos V5 GSSAPI. We have a couple of sites using this.


It should work with MIT, Hiemdal, or even Martin Rex's WIN32 GSSAPI over
SSPI.
(I havenot triedall of these.)

> Ben
>
> * Douglas E. Engert <deengert@anl.gov> [020318 07:59]:
> > I see you have received many comments on this, but we are doing this
now.
> > I can use K5 on W2k to authenticate, then a krb524d running on a unix
> > box to convert to a K4/AFS token.
> >
> > This requires two sets of mode. The krb524d uses two sets of keys. It
decrypts
> > with the K5 key from W2K, ten encrypts the K4/AFS token with the key
used by
> > AFS in the KeyFile.
> >
> > Since the krb524d is not run on the same machine as the KDC, the client
needs
> > to be able to find it. This is done using a krb524d =  parameter in the
[realms]
> > section of the krb5.conf file.
> >
> > A change we are working on is dropping krb524d and aklog all together,
and
> > replacing them with a gssklog. This would authenticate using GSSAPI, and
returns a
> > K4/AFS token. THe gssklogd would run on the AFS servers. This could then
either
> > use the MIT gssapi, or on Windows, could use  Martin Rex's GSSAPI over
SSPI. i.e.
> > the gssklog has no Kerberos source code, using your favorite compiled
GSSAPI libs.
> >
> >
> > See ftp://achilles.ctd.anl.gov/pub/kerberos.v5/
> > for MIT mods for the aklog, and krb524d
> >
> > and
> >  ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar
> > for the gssklog.
> >
> >
> > Jacob Gorm Hansen wrote:
> > >
> > > I know Active Directory is not anyone's favorite, not mine either, but
I need
> > > to be able to authenticate against it. Currently, I've got just one
AFS server.
> > > running debian linux.
> > >
> > > Does anyone have a recipe for doing so? I read somewhere that krb5 was
being
> > > worked on for OpenAFS, I suppose that would make things easier. What
is the
> > > status of that?
> > >
> > > Best,
> > > Jacob
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
> --
> --------------------------------------------------------------------------
-
> Ben Poliakoff                                       email: <benp@reed.edu>
> Reed College                                          tel:  (503)-788-6674
> Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
> --------------------------------------------------------------------------
-
> 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5
2019

--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info