[OpenAFS] Kerberos 5, AFS, and no krb524d

Rodney M Dyer rmdyer@uncc.edu
Mon, 09 Jun 2003 12:16:01 -0400 

At 09:51 AM 6/9/2003 -0500, Douglas E. Engert wrote:

>The end goal should be to keep AFS flexibly enough to work with any
>authentication system in a secure manor, and to not get it tied to closely
>to any one.  This may be some version of Kerberos or some other authentication
>system. AFS is a file system where the client and file server need to 
>communicate
>on behalf of some user who has rights to access files.

Well then the solution seems straight forward.  The OpenAFS group needs to 
create a standardized wrapper library for obtaining the AFS credential 
(token).  The "klog" command then needs to be renamed to "afslogon" and all 
references to anything kerberos needs to be stripped out of the code 
base.  Then, you just end up calling your authentication wrapper with the 
information to obtain the token.  The wrapper does the work of determining 
which authentication method you are using, getting the token, etc.  Gee, 
this hints of a mechanism like SASL.  The way I see it, AFS is way too 
dedicated to Kerberos.  OpenAFS and Kerberos share a common 
history.  Seperating the two is like cutting off an arm.

> > Hmm...just thinking...for the Windows users...so would it be possible to
> > create an AFS K5 service principle on Microsoft's AD server, then request
> > that service principle, strip it clean, then stuff it into the AFS token
> > cache?
>
>Yes, that is very possible.
>
>  I suppose the salts would be a problem here.  But, if you could do
> > this, you wouldn't need the krb524 code right?
>
>No, the salt has to do the authentication of the user. It has nothing
>to do with the actual AFS token. You are thinking it is a one setp process,
>but it is a two sete process, authentication to a third party, then obtaining
>the token.

Blinded by ignorance, you are correct.  First get TGT (auth), then get 
service ticket, convert the bits and stuff into cache?

So if I've setup my AD domain to trust a MIT Kerberos realms TGT, then I 
could just request my AFS service principle ticket from my AD server right?

Err, being ignorant here...how exactly would I install the AFS principle 
into the AD kerberos database?  What I mean is...I know that we have the 
"setspn.exe" utility available from Microsoft.  I'm just not sure what 
information I'd need to do this.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp

 From the readme...

http://www.coe.uncc.edu/~rmdyer/setspn_readme.txt

So, I need to setup the "account" for AFS first, then declare it a service 
principle with this tool?

Assuming I did this I'd have a valid Kerberos 5 AFS service principle on 
the AD that could be requested by the user through the SSPI interface?

Anybody care to elaborate?

Rodney