[OpenAFS] Kerberos Authentication with OpenAFS.

Douglas E. Engert deengert@anl.gov
Mon, 13 May 2002 15:38:19 -0500 

I think we agree. 

As I pointed out in the gssklog which is a more generic
replacement for aklog, we are using server/host@realm. Tge gssklog works
with other GSS implementaitons too, such as the GSI at http://www.globus.org  



David Fulton wrote:
> 
> I agree to that. That adheres to the Kerberos ideal of being generic. There is no reason
> to limit our options with it. I would like to point out that the usual form of a Kerberos
> principal for services is
> 
> service/host@realmname.
> 
> Thus, technically, instead of afs/cellname@realmname, we should have
> afs/servername@realmname, This would require the server to know what cell it is in, but it
> already has that information in /usr/afs/etc/ThisCell and the clients as well. If it were
> to be made truly a seperate part, it should find out what its home realm name is from DNS
> (ala. MIT Kerberos.) and try that realm this should always be overrideable from the
> bosserver command line.

This was not done because AFS uses a single key for the cell, and aklog expects to 
convert a V5 ticket to a V4 ticket using the same principal, and same key.  

This is another side benefit of the gssklog, in that these are now separate. 


> 
> Douglas E. Engert wrote:
> 
> > Derek Atkins wrote:
> >
> >> We should seriously standardize on afs/cell@REALM, whether or not
> >> the cell == REALM.
> >>
> > This also lets you have multiple cells in a realm, as well as the AFS cell
> > accepting authentication from multiple realms.
> > This was part of the argument for treating AFS as an application, separate
> > from how the authentication is done.
> > (The gssklog is using gssklog/server@realm where server is the hostname of
> > the AFS database server running the gssklogd.)
> >
> >
> >> -derek
> >> Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> >>
> >> >>  You will need:
> >> >>         afs/<cell>@REALM in kerberos, with a des-cbc-crc key only
> >> >>
> >> > This brings up something I've been meaning to talk about.
> >> > The migration kit's documentation says normally you should use afs@REALM,
> >> > because if you're migrating over from V4, that's the name of the principal
> >> > you're using.  It only suggests using afs/<cell>@REALM if your cell name
> >> > doesn't match your realm.
> >> > The problem with using afs/<cell>@REALM is that the stock aklog I have
> >> > in the migration kit doesn't try it.  I guess the one you guys are shipping
> >> > has been patched.  I'm just wondering if we should think about standardizing
> >> > on the principal name, because there seems to be some variance out there.
> >> > --Ken
> >> > _______________________________________________
> >> > OpenAFS-info mailing list
> >> > OpenAFS-info@openafs.org
> >> > https://lists.openaf
> >> > s.org/mailman/listinfo/openafs-info
> >> >
> >> --
> >>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >>        Member, MIT Student Information Processing Board  (SIPB)
> >>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >>        warlord@MIT.EDU                        PGP key available
> >> _______________________________________________
> >> OpenAFS-info mailing list
> >> OpenAFS-info@openafs.org
> >> https://lists.openafs.org/mailman/listinfo/openafs-info
> >>

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444