[OpenAFS] Kerberos 5, AFS, and no krb524d

Derrick J Brashear shadow@dementia.org
Sun, 8 Jun 2003 23:51:35 -0400 (EDT)


On Sun, 8 Jun 2003, Rodney Dyer wrote:

> At 03:09 PM 6/6/03 -0500, Neulinger, Nathan wrote:
> >Then you have a "big project" maintaining compatability with lots of
> >kerb distributions, instead of a small project doing so.... Latter is
> >much easier to maintain I believe.
>
> Why?  Far be it from me to make this supposition but I'm going to.  There
> exists one open source project for AFS and as far as I'm concerned one open
> source project for Kerberos.  If AFS is going to transition to Kerb 5, then
> it should use a Kerberos open source project to "meld" with.  If I'm not
> mistaken that's the MIT Kerberos distribution.  Are there others of any
> significance?  Please tell me if there are because I haven't heard of any.

Heimdal. Shishi isn't mature enough yet, but Heimdal certainly is.

> Let's see a show of hands of AFS user's who want to transition to Kerb
> 5?  Let's see a show of hands of user's who wouldn't mind the "klog -mitv5"
> command calling the MIT distribution's Kerberos library interfaces?

I suspect heimdal will just support whatever we end up doing for "real
krb5 authentication", and you'd need krb5 libraries anyhow, so if i can
avoid needing to build one against the other, and it's clear I can...

> >I think that's the end goal, but getting there will be a while. We
> >currently don't have any dependency or integration of krb5 at compile
> >time into the openafs build. Maybe we should, not clear.
>
> Yes, you should.  Otherwise AFS is going to languish in the back waters
> from a LOTR Gollum type schizophrenia of indecision...should we, or
> shouldn't we, should we, or shouldn't we.

See above.

> The only real standard on Windows machines for Kerberos authentication is
> through the SSPI.  And I'm pretty sure you don't want to go that
> route...right?

Well, on Windows it's probably the case that:

> So, it's either MIT's distribution or nothing else.

Or through SSPI, but yes.

> You
> might argue that there are lots of Kerberos distributions, but are they
> open in any sense of the word?  Why tie the OpenAFS project to close source
> distributions?

Heimdal is more open than MIT: MIT still won't distribute to
"foreigners".

> Hmm...just thinking...for the Windows users...so would it be possible to
> create an AFS K5 service principle on Microsoft's AD server, then request
> that service principle, strip it clean, then stuff it into the AFS token
> cache?  I suppose the salts would be a problem here.  But, if you could do
> this, you wouldn't need the krb524 code right?

Well, it should be as long as it matches the AFS key on your AFS servers
(kvno and key). But "not needing krb524" is currently the same as
otherwise: only if you transmogrify the ticket somehow, namely, stripping
all but the encrypted part.

> Anybody got any ideas in this direction?  Am I talking out of my Uranus?