[OpenAFS] Kerberos 5, AFS, and no krb524d

Douglas E. Engert deengert@anl.gov
Thu, 05 Jun 2003 14:32:09 -0500 

If you Kerberos admins will not run the krb524d (and I don't know
why not) there are some other options:

 o An aklog that just used the k5 ticket would be good, but is there one
   yet? This would in efect be a klog, using k5, and the K5 realm must
   match the AFS cell. The AFS servers need to be 1.2.9 

 o Run krb524d -k on a seperate machine, but the client need to know where
   it is, as well as the lib. We do this for the W2K KDC, The krb5.conf 
   [realms] entry has a krb524d = <host> where the krb524d runs on UNIX.

 o Use gssklog, where the gssklogd deamons run on the AFS database servers.
   The clients run on Unix or Windows. The realm of the KDC does not have to
   match the AFS cell name, as the gssklogd does a mapping from the GSS 
   client_name to the AFS uid name, and returns an AFS token.
   It needs the GSSAPI and on Windows I am using the MIT, but I am going 
   to try and get it to work directly with the SSPI.
 
   See  ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.6.tar


Nicholas Henke wrote:
> 
> On Thu, 2003-06-05 at 14:56, Derrick J Brashear wrote:
> > On Thu, 5 Jun 2003, Nicholas Henke wrote:
> >
> > > Hey folks~~
> > >     I have been struggling with setting up openAFS under our existing MIT
> > > Kerberos V setup here at Penn. The KDC here does not support v4 tickets,
> > > so there is no krb524 running. Is there an aklog that does not need to
> > > talk to a krb524d, or is there another way to setup AFS with out the
> > > '524' translator ?
> >
> > Why can't you run a krb524d just for AFS, that doesn't support v4 tickets
> > but does afs rxkad 2b?
> 
> Do you mean locally to the OpenAFS machine, or on the kerberos server? I
> have tried the local krb524d without success, and as for the UPENN.EDU
> kerberos realm, Penn does not support v4 tickets, and will not run that
> service. I am not sure what you mean by 'afs rxkad 2b' -- can you
> explain this a bit more
> 
> >
> > > I have tried running a krb524d locally here, using a keytab filled with
> > > 'ktadd ...', but it just does not seem to work.
> >
> > did ktadd change the key? (i don't remember)
> 
> I really don't know.
> 
> >
> > even if not, how did you tell your clients where to look for krb524d?
> 
> [realms]
>  UPENN.EDU = {
>   kdc = kerberos1.upenn.edu:88
>   kdc = roughneck.liniac.upenn.edu
>   admin_server = kerberos1.upenn.edu:749
>   krb524_server = roughneck.liniac.upenn.edu:4444
>  }
> 
> I would rather not do this -- and just use the v5 tickets.
> Nic
> --
> Nicholas Henke
> Penguin Herder & Linux Cluster System Programmer
> Liniac Project - Univ. of Pennsylvania
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444