[OpenAFS] Kerberos 5, AFS, and no krb524d
Douglas E. Engert
deengert@anl.gov
Mon, 09 Jun 2003 10:59:39 -0500
Nicholas Henke wrote:
>
> On Fri, 2003-06-06 at 11:07, Douglas E. Engert wrote:
> > Nicholas Henke wrote:
> > >
> > > On Thu, 2003-06-05 at 16:29, Douglas E. Engert wrote:
> > >
> > > > I will let someone else answer this, as modified krb524d we use uses one key
> > > > for the K5 ticket to decrypt it, then reads the AFS keyfile to get the key
> > > > in which to encrypt the AFS token, thus avoidning many of these key sync issues.
> > > > like enctypes or kvno don't have to match.
> > >
> > > Is the modified krb524d something that would be usefull to me -- or
> > > possibly others ?
> >
> > Yes they could be. We are running krb5-1.2.8 See
> > ftp://achilles.ctd.anl.gov/pub/kerberos.v5/afs524.notes
> > ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5128.cdiffp.20030606
> > ftp://achilles.ctd.anl.gov/pub/kerberos.v5/ak5log.20030606.tar
> >
> > Older versions are under ftp://achilles.ctd.anl.gov/pub/kerberos.v5/old/
> >
> > Look at the krb524* changes listed in the k5128 diff file above.
> > These changes where originally written when we had DFS as well as AFS,
> > and we where using trying to use the Transarc AFS/DFS Migration.
> > Because of the way it worked, the changes and the ak5log program
> > where using principals of afsx/<cell>@<realm>. If you want to
> > use your current aklog, you could use the afs/<cell>@<realm>
> > You will need to change the compare in conv_princ.c from "afsx" to "afs"
> > (But I have not tried this.)
> >
> > You need to compile the Kerberos with -DAFS524
> >
> > These changes where originally submitted to MIT in 1996.
> > Maybe it is time to submit them again?
>
> Do the changes in k5128 need to be used for the ak5log to work, or will
> ak5log work on it's own with a regular K5 setup ?
I think you are asking if the ak5log I have can run with the standard
Kerberos krb524 lib and krb524d.
I think it could if you change the "afsx" to "afs" in the client.
aklog_main.c:#define AFSKEYX "afsx"
But I have not tried this. The ak5log compiles easilly, but is manual,
so you could try this in a few minutes. If it does not, send my some
comments.
The ak5log was written to also work with the DFS/AFS translator, which
used the encrypted part of the K5 ticket, as the token, much like
AFS it trying to do today without having to translate it.
in this case it was using afs@<realm>
>
> Nic
> --
> Nicholas Henke
> Penguin Herder & Linux Cluster System Programmer
> Liniac Project - Univ. of Pennsylvania
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444