[OpenAFS] 1.2.10 without krb524

Douglas E. Engert deengert@anl.gov
Mon, 25 Aug 2003 10:19:48 -0500


Chris McClimans wrote:
> 
> I have two REALMS:
> TTU.EDU
> CS.TTU.EDU
> 
> I have a keytab for afs/cs.ttu.edu in both REALMS and have added it to
> the KeyFile on all my afs servers.
> 
> I do not control the TTU.EDU servers and therefore control of the
> default location for krb524 for that realm.
> I have setup krb524 on a local server using -k (to use keyfile instead
> of master database). However I read that 1.2.10 has
> the ability to do straight krb5 ticket/token conversion without krb524.

gssklog could help here for a number of reasons. 

A copy of the gssklogd deamon is run on each of the AFS database servers. 
The client uses the standard AFS routines to find the gssklogd deamon, 
thus not requiring any krb5.conf changes.   

The gssklogd can accept principals in multiple realms, and map them
to the same AFS username. Think of the cell as an AFS authorization 
domain, and the realm as a Kerberos authentication domain.

> 
> I'd prefer if username@TTU.EDU and username@CS.TTU.EDU were both
> 'username' in the pts database. Not to mention you can't specificy
> UID's to cross realm entities (ie pts entries like username@ttu.edu).
> 
> One path would be to figure out how to get rid of krb524 alltogether,

Yes code has be added to allow a K5 ticket to be used in the token.
This still needs a modified aklog, or similiar program. There are
issues with the size of the ticket, especially when using a W2K AD
as the KDC and the AFS cell is then part of a single Kerberos Realm.
(I have a version of ak5log which can use the K5 ticket directly,
but it is not ready for prime time.)

> the other would be to make sure the krb5.conf contains the following:
> 
> [appdefaults]
> afs_krb5 = {
>          CS.TTU.EDU = {
>                  afs = false
>                  afs/cs.ttu.edu = true
>          }
>          TTU.EDU = {
>                  afs = false
>                  afs/cs.ttu.edu = true
>                  krb524_server=oak.cs.ttu.edu
>                  # we could alternatively do _KRB524 DNS entries
>                  # _KRB524.TTU.EDU SRV oak.cs.ttu.edu, but that would
> mean requesting TTU.EDU point there SRV entry to me, not likely.
>          }
> }
> 
> Since I would have to keep this up to date on all clients, I'd prefer
> to get rid of krb524. Anyone have pointers to how to accomplish this on
> the unix side? I saw a couple posts about it working on the windows
> side.

gsskog runs on Unix and Windows:

  ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
  ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.8.tar

> 
> --
> Chris McClimans  / Director of Undergraduate Labs / Texas Tech Computer
> Science
> http://www.cs.ttu.edu
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444