[OpenAFS] some simple openafs questions

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 25 Jul 2003 19:41:37 -0400 

On Friday, July 25, 2003 19:12:28 -0400 Rodney M Dyer <rmdyer@uncc.edu> 
wrote:

> At 06:44 PM 7/25/2003 -0400, Jeffrey Hutzelman wrote:
>
>> OpenAFS ships with a number of authentication-related utilities for use
>> on  clients; the most notable of these is 'klog'.  ........ On Windows,
>> these  tools speak the Kerberos IV protocol; they will work with a real
>> kaserver,  or a Heimdal KDC built with krb4 support, or any MIT KDC.
>
> We have just finished testing this senario on Windows and find
> dis-agreement with you.  Using Transarc AFS...the "klog" command...
>
> c:\>klog username -servers krb5-kdc.uncc.edu
> Password:  xxxxx
> Unable to authenticate to AFS because Authentication Server was
> unavailable.
>
> Snooping the network reveals that the "klog" sends several requests on
> Port 750, but gets no replies.
>
> We could not test this feature on OpenAFS "klog" because the "-servers"
> option is not available.
>
> We are using MIT Kerberos v5 1.2.8 on our KDC server, and it is setup to
> respond on ports 750, and 88.
>
> Is the problem (with Transarc's klog) that we are not "running" our MIT
> KDC "on" our AFS cell servers where the kaserver normally exists?  If so,
> what exactly is the problem here?  Can we not run a separate K5 KDC on
> another box other than our AFS cell servers?  That would seem to be the
> case with OpenAFS's "klog" since we can't specify an alternate server.
>
> Is the krb protocol that Transarc's "klog" speaks..."true" Kerberos IV
> protocol?  Why do we get zero responses from the MIT KDC?  The network
> snoops show that it is accepting the packets from "klog" it just isn't
> responding.

Yes, it does speak real krb4, which really isn't all that complicated a 
protocol.  It will work with an MIT KDC; we have this running in production 
right now.  I'd suggest checking your KDC logs to see what is going on.  It 
may be the case that additional configuration is required before the KDC 
will response to krb4 requests (note this is independent of what ports it 
listens on).

In order to use klog without -servers, or the mechanisms that let you get 
AFS tokens on login, you "must" be running KDC's on the AFS database 
servers.  In our environment, we've dealt with this mostly by lying to the 
client, and telling it our KDC is a database server.  It times out the 
vlserver pretty quickly, and authentication works fine.

It's also possible to set up a server running on the database servers which 
accepts requests from clients, forwards them to the KDC's, and then 
forwards the responses back.  I know people have done this; perhaps someone 
who maintains such a tool will speak up.