[OpenAFS] Krb5 integration with AFS

Ken Hornstein kenh@cmf.nrl.navy.mil
Tue, 30 Dec 2003 17:15:12 -0500

>Given the current discussion, I'm posting a list of wishes
>for OpenAFS + kerberos that I composed last May:

Note that I'm not an AFS Elder or anyone of importance, so take what I say
with a grain of salt.

>Here's what's missing with krb5 integration with afs:
>(1) Built in fakekaserver
>    that handles all kas' protocol with a remote krb5 KDC
>    (not part of AFS)
>        (basically a souped-up kaforwarder.)

The two major open-source Kerberos implementations (Heimdal & MIT) ship
with a fakekaserver, so this seems sort-of redundant.  No, they don't do
the whole protocol, but that would be difficult, since some of what kas
does can't be mapped into what today's krb5 KDCs do, unless you want to
extend the kas protocol ... and I don't really see people lining up to
do that.  What we have is enough to make "klog" work and that seems to
be sufficient.

>(2) pam libraries to handle krb5/kas transparently

There are some PAM libraries around, like the ones that come with Debian,
that seems to do all of the right magic today.

>(3) executables for klog and klog.krb that work with K5
>    (as well as with K4)
>        (fold aklog into klog.)

Ewww ... to me, that is going backwards.

>In particular, it should be possible to use krb5 with AFS
>by asking the kaserver/fakeka on the AFS database server
>machine where the krb5 server is.  Ideally this would avoid
>the need for a krb5.conf file on every single client machine.

If you don't like DNS SRV records, then you're using a CellServDB file,
which is maintained on every client machine.  Personally, I don't
consider the cost of maintaining two client-side files that much
greater than one.  If you do like DNS SRV records, then you should just
use the DNS SRV records for Kerberos (which are supported by the two
major open-source implementations today).  Again, I don't see people
lining up to extend the kas protocol when we already have a
configuration discovery mechanism for Kerberos.

>One of the nice things about AFS is that you don't need to do a full kerberos
>configuration in order to use some remote cell, but as far as I can tell,
>kerberos 5 won't let you contact a remote cell unless you have
>that remote cell/realm described in krb5.conf.

"See above".  Note that in terms of client-side configuration, you're
Kerberos and AFS are roughly the same; you either need DNS SRV entries,
or you need a client configuration file.

>And the archive
>of this list indicates you need lots of hairy things in
>the krb5.conf in order to get PAM to work.

Well, to quote Derrick Braesher, "PAM sucks".