[OpenAFS] some simple openafs questions

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 25 Jul 2003 18:44:22 -0400


On Friday, July 25, 2003 13:37:03 -0400 Faheem Mitha <faheem@email.unc.edu> 
wrote:

>
>
> On Fri, 25 Jul 2003, Ken Hornstein wrote:
>
>> >> Errr.... that was never said, Rodney.  Jeff said _kaserver_ clients;
>> >> the Windows AFS clients aren't kaserver clients, they're krb4 clients.
>> >
>> > Um. Does this mean a Heimdal server will work with Windows, but a MIT
>> > server will not? I definitely want it to work with the Openafs client
>> > on Windows, whatever that uses.
>>
>> Both Heimdal and MIT support V4.  Although I thought in your situation,
>> you're using the campus-provided server.
>
> Well, currently I am. But if I set up my own server (which is what my
> original message was about) then I want it to work with what we've been
> using with the campus server, namely klog (for Linux) and the Openafs
> client (for Windows).

OK.  There seems to have been a lot of FUD spread in this thread.  Let me 
try to clear things up just a little...

- Both Heimdal and the MIT KDC are Kerberos V implementations.
- Both Heimdal and the MIT KDC are capable of responding to Kerberos IV 
requests.  The MIT implementation will do this by default, while Heimdal 
will do so only if linked against KTH's krb4 implementation (kth-krb), 
which is distributed separately.
- Both Heimdal and the MIT KDC are capable of handling kaserver requests. 
In Heimdal this feature is built in to the main KDC process (but must be 
enabled at configure-time, IIRC), while the MIT implementation uses a 
separate process (fakeka).  The fakeka server is included in MIT Kerberos 
1.3; for earlier versions it was distributed separately as part of the 
afs-krb5 migration toolkit.
- Both Heimdal and the MIT KDC support the Kerberos 5-to-4 ticket 
translation service.  In Heimdal this feature is built in to the main KDC 
process, while in the MIT implemenation it is provided in a separate 
process (krb524d).

- OpenAFS ships with an authentication service, the kaserver, which 
responds to both kaserver and Kerberos IV requests.  It is not a Kerberos V 
implementation, and does not respond to Kerberos IV requests.  It is not 
recommended that new installations use this.


OpenAFS ships with a number of authentication-related utilities for use on 
clients; the most notable of these is 'klog'.  On UNIX systems (including 
MacOS X), these tools speak the kaserver protocol; they will work with a 
real kaserver, or a Heimdal KDC configured to handle kaserver requests, or 
an MIT KDC running fakeka.  On Windows, these tools speak the Kerberos IV 
protocol; they will work with a real kaserver, or a Heimdal KDC built with 
krb4 support, or any MIT KDC.

There are also a number of tools available for turning existing Kerberos 
tickets into AFS tokens.  Heimdal ships with a tool called 'afslog', and 
also provides this support as part of its kinit.  If you are using MIT 
Kerberos, the tool is called 'aklog', and is distributed separately, again 
as part of the afs-krb5 migration toolkit.  On Debian, aklog is in the 
openafs-krb5 package.  Both of these tools work by obtaining Kerberos V 
tickets for the AFS service (using your existing TGT), and then contacting 
the Kerberos 5-to-4 ticket translation service to obtain Kerberos 4 
tickets.  They then perform a simple local transformation to obtain the 
token to be handed to the AFS cache manager.  The Kerberos 5-to-4 ticket 
translation service must be available for these tools to work.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA