[OpenAFS] AFS and w2k KDC

[Christos Ricudis]

Dear AFS users, 

I am trying to migrate our AFS to Kerberos 5 Authentication. The 
intention is to use a W2k KDC for AFS authentication. The problem 
is that I haven't been able to find any concise documentation
about the procedure to acomplish either of these two tasks. 

1) All available documentation and posts imply that I should be using
krb5 kinit in conjuction with aklog, or the modified klogin/kinit in 
afs-krb5 package to obtain AFS tokens. We use pam_afs to obtain tokens
in our current installation. Is it able to accomplish this task? 
It seems that pam_krb5 alone wouldn't be enough. Has anybody did it? 
We need to authenticate Linux, Solaris, HP-UX and Windows clients. 

I have found Doug Engert's GSSKLOG. At first look, it seems like it 
can be help on this. 

2) Trying to compile the latest NRL AFS-Kerberos 5 migration kit, 
obtained from grand.central.org, the monster patch does not apply
cleanly to none of the MIT krb5 packages I have been able to find. 
It also seems that it applies only to krb5 1.2.7. kerberos 5 1.2.8
though, includes some very important security fixes. How important
is the monster-patch for correct operation of AFS with krb5? Has the
monster-patch been ported to 1.2.8? 

3) Assuming I can finally get AFS to work with krb5, how can I 
authenticate from a W2k KDC? Can krb524d be used to authenticate 
against a w2k KDC, or I need two KDCs and cross-realm authentication? 
Are there any documents detailing the necessary steps? 

Thank you very much, 


-- 
Christos Ricudis				ricudis@itc.auth.gr
Systems Administrator				+30-2310-998305
IT Support Center
Aristotles University of Thessaloniki, GREECE