[OpenAFS] Krb5 integration with AFS

John Tang Boyland boyland@solomons.cs.uwm.edu
Tue, 30 Dec 2003 16:02:38 -0600

Given the current discussion, I'm posting a list of wishes
for OpenAFS + kerberos that I composed last May:

Here's what's missing with krb5 integration with afs:

(1) Built in fakekaserver
    that handles all kas' protocol with a remote krb5 KDC
    (not part of AFS)
        (basically a souped-up kaforwarder.)
(2) pam libraries to handle krb5/kas transparently

(3) executables for klog and klog.krb that work with K5
    (as well as with K4)
        (fold aklog into klog.)

In particular, it should be possible to use krb5 with AFS
by asking the kaserver/fakeka on the AFS database server
machine where the krb5 server is.  Ideally this would avoid
the need for a krb5.conf file on every single client machine.

One of the nice things about AFS is that you don't need to do a full kerberos
configuration in order to use some remote cell, but as far as I can tell,
kerberos 5 won't let you contact a remote cell unless you have
that remote cell/realm described in krb5.conf.  And the archive
of this list indicates you need lots of hairy things in
the krb5.conf in order to get PAM to work.