[OpenAFS] newbie OpenAFS troubles
Douglas E. Engert
deengert@anl.gov
Mon, 03 Nov 2003 16:29:21 -0600
Derek Atkins wrote:
>
> "Douglas E. Engert" <deengert@anl.gov> writes:
>
> > When this patch to AD is available many of the above restrictions
> > could be removed and a "token generation server" would be not
> > needed.
> >
> > You might also want to see:
> > ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.0.tar
>
> I think a patch to the existing krb5 aklog would be more useful than
> a completely new implementation.
The msklog started from the cklog example. The two main functions of
getting a ticket and setting the token are separated. I was interested in
using the MS LSA and SSPI to get the ticket, so there would be no need for
any additional kerberos header, source or DLLs other then those provided
by OpenAFS.
I would think the same code could be merged back into aklog. I just have
not done that as the size of the K5 ticket from AD is still an issue. The
use of the SEC_WINNT_AUTH_IDENTITY_ONLY has its own set of problems. (It
appears to gets a new TGT using a stashed password!)
I found it was much easier to start from the cklog program, as this was
meant to be a test program to test if a W2K AD could be used as the KDC
to get a small K5 ticket usable for AFS. Once the MS patch is available,
then the msklog can be modified to not use the SEC_WINNT_AUTH_IDENTITY_ONLY
and it should work against any KDC.
>
> -derek
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444