[OpenAFS] newbie OpenAFS troubles

Douglas E. Engert deengert@anl.gov
Mon, 03 Nov 2003 13:41:50 -0600


Derek Atkins wrote:
> 
> "Mehta, Rohit" <rohitm@engr.uconn.edu> writes:
> 
> > I thought that aklog provided by Debian's openafs-krb5 eliminated
> > the need for krb524d.  I guess my alternatives now are use aklog and
> > run krb524d or use gssklog.
> 
> Well, gssklog requires gssklogd, so in either case you're still
> running a "token generation server".  The benefit of aklog is that
> _eventually_ someone could write a more intelligent version that did
> NOT require the krb524d step....  But nobody has written that, yet.
> You're welcome to do it and submit the code :)

An update on this - Microsoft is working on a patch to the AD so a
flag can be set so tickets for a specific service (i.e. afs/cell@realm) 
can be issued without a PAC. With the current restriction on the size of the 
ticket needed for AFS, a MS AD as the KDC is not very useable at this time.
(Currently a small ticket can be obtained if using the LSA and SSPI with the 
SEC_WINNT_AUTH_IDENTITY_ONLY flag on the client to a AD. This causes a 
pa-data type of PA_PAC_REQUEST to be sent. This only works if the client and
KDC are both MS. It is not usable if the client is using Kerberos directly
or the KDC is not MS, as neither understand how to handle the PA_PAC_REQUEST.)

When this patch to AD is available many of the above restrictions 
could be removed and a "token generation server" would be not
needed.  

You might also want to see:
ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.0.tar

This is a partial implementation, but it relies on the MS LSA and SSPI.
When the patch is available, it could be modified. the msklog_get_ticket
could be replaced with a routine to get a ticket using straight Kerberos
which would work on UNIX.  
   

> 
> > Thanks for the help!
> >
> > Rohit
> 
> -derek
> 
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444