[OpenAFS] some simple openafs questions
Rodney M Dyer
rmdyer@uncc.edu
Fri, 25 Jul 2003 19:12:28 -0400
At 06:44 PM 7/25/2003 -0400, Jeffrey Hutzelman wrote:
>OpenAFS ships with a number of authentication-related utilities for use on
>clients; the most notable of these is 'klog'. ........ On Windows, these
>tools speak the Kerberos IV protocol; they will work with a real kaserver,
>or a Heimdal KDC built with krb4 support, or any MIT KDC.
We have just finished testing this senario on Windows and find
dis-agreement with you. Using Transarc AFS...the "klog" command...
c:\>klog username -servers krb5-kdc.uncc.edu
Password: xxxxx
Unable to authenticate to AFS because Authentication Server was unavailable.
Snooping the network reveals that the "klog" sends several requests on Port
750, but gets no replies.
We could not test this feature on OpenAFS "klog" because the "-servers"
option is not available.
We are using MIT Kerberos v5 1.2.8 on our KDC server, and it is setup to
respond on ports 750, and 88.
Is the problem (with Transarc's klog) that we are not "running" our MIT KDC
"on" our AFS cell servers where the kaserver normally exists? If so, what
exactly is the problem here? Can we not run a separate K5 KDC on another
box other than our AFS cell servers? That would seem to be the case with
OpenAFS's "klog" since we can't specify an alternate server.
Is the krb protocol that Transarc's "klog" speaks..."true" Kerberos IV
protocol? Why do we get zero responses from the MIT KDC? The network
snoops show that it is accepting the packets from "klog" it just isn't
responding.
Just curious,
Rodney