[OpenAFS] newbie OpenAFS troubles

Douglas E. Engert deengert@anl.gov
Mon, 03 Nov 2003 16:29:21 -0600


Derek Atkins wrote:
> 
> "Douglas E. Engert" <deengert@anl.gov> writes:
> 
> > When this patch to AD is available many of the above restrictions
> > could be removed and a "token generation server" would be not
> > needed.
> >
> > You might also want to see:
> > ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.0.tar
> 
> I think a patch to the existing krb5 aklog would be more useful than
> a completely new implementation.

The msklog started from the cklog example. The two main functions of
getting a ticket and setting the token are separated. I was interested in 
using the MS LSA and SSPI to get the ticket, so there would be no need for
any additional kerberos header, source or DLLs other then those provided 
by OpenAFS.  

I would think the same code could be merged back into aklog. I just have 
not done that as the size of the K5 ticket from AD is still an issue. The 
use of the SEC_WINNT_AUTH_IDENTITY_ONLY has its own set of problems. (It
appears to gets a new TGT using a stashed password!) 

I found it was much easier to start from the cklog program, as this was 
meant to be a test program to test if a W2K AD could be used as the KDC 
to get a small K5 ticket usable for AFS. Once the MS patch is available,
then the msklog can be modified to not use the SEC_WINNT_AUTH_IDENTITY_ONLY
and it should work against any KDC. 


> 
> -derek
> 
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444