[OpenAFS] Kerberos 5, AFS, and no krb524d

Douglas E. Engert deengert@anl.gov
Fri, 06 Jun 2003 10:07:48 -0500


Nicholas Henke wrote:
> 
> On Thu, 2003-06-05 at 16:29, Douglas E. Engert wrote:
> 
> > I will let someone else answer this, as modified krb524d we use uses one key
> > for the K5 ticket to decrypt it, then reads the AFS keyfile to get the key
> > in which to encrypt the AFS token, thus avoidning many of these key sync issues.
> > like enctypes or kvno don't have to match.
> 
> Is the modified krb524d something that would be usefull to me -- or
> possibly others ?

Yes they could be. We are running krb5-1.2.8  See 
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/afs524.notes
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5128.cdiffp.20030606
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/ak5log.20030606.tar

Older versions are under ftp://achilles.ctd.anl.gov/pub/kerberos.v5/old/

Look at the krb524* changes listed in the k5128 diff file above. 
These changes where originally written when we had DFS as well as AFS,
and we where using trying to use the Transarc AFS/DFS Migration.
Because of the way it worked, the changes and the ak5log program
where using principals of afsx/<cell>@<realm>. If you want to
use your current aklog, you could use the afs/<cell>@<realm> 
You will need to change the compare in conv_princ.c from "afsx" to "afs"
(But I have not tried this.) 

You need to compile the Kerberos with -DAFS524 

These changes where originally submitted to MIT in 1996. 
Maybe it is time to submit them again? 

> 
> > (We took down our AFS cell once trying to get these keys in sync, and said
> 
> Heh -- I can imagine that... :)
> 
> Nic
> --
> Nicholas Henke
> Penguin Herder & Linux Cluster System Programmer
> Liniac Project - Univ. of Pennsylvania

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444