[OpenAFS] some simple openafs questions

Rodney M Dyer rmdyer@uncc.edu
Fri, 25 Jul 2003 19:12:28 -0400


At 06:44 PM 7/25/2003 -0400, Jeffrey Hutzelman wrote:

>OpenAFS ships with a number of authentication-related utilities for use on 
>clients; the most notable of these is 'klog'.  ........ On Windows, these 
>tools speak the Kerberos IV protocol; they will work with a real kaserver, 
>or a Heimdal KDC built with krb4 support, or any MIT KDC.

We have just finished testing this senario on Windows and find 
dis-agreement with you.  Using Transarc AFS...the "klog" command...

c:\>klog username -servers krb5-kdc.uncc.edu
Password:  xxxxx
Unable to authenticate to AFS because Authentication Server was unavailable.

Snooping the network reveals that the "klog" sends several requests on Port 
750, but gets no replies.

We could not test this feature on OpenAFS "klog" because the "-servers" 
option is not available.

We are using MIT Kerberos v5 1.2.8 on our KDC server, and it is setup to 
respond on ports 750, and 88.

Is the problem (with Transarc's klog) that we are not "running" our MIT KDC 
"on" our AFS cell servers where the kaserver normally exists?  If so, what 
exactly is the problem here?  Can we not run a separate K5 KDC on another 
box other than our AFS cell servers?  That would seem to be the case with 
OpenAFS's "klog" since we can't specify an alternate server.

Is the krb protocol that Transarc's "klog" speaks..."true" Kerberos IV 
protocol?  Why do we get zero responses from the MIT KDC?  The network 
snoops show that it is accepting the packets from "klog" it just isn't 
responding.

Just curious,

Rodney