[OpenAFS] Using OpenAFS with existing Kerberos servers

David Howells dhowells@redhat.com
Mon, 01 Sep 2003 15:45:35 +0100


> Yes, do a search for 'krb5 migration kit',

Seems that if you're not a US denizen, then your head falls off and the US
government breathes down your neck if you download it. :-)

> or search the list archives for krb5. Lots of discussion on how to do it.

I'll do that.

> You basically just need a afs@REALM key on kdc, and a krb524d server w/
> aklog on the clients.

Yes, yes and yes. It still doesn't work though:

 No. Time Source    Destination Protocol Info
   3 0    rogon     pepper      KRB5     AS-REQ
   4 0    pepper    rogon       KRB5     AS-REP
   7 24   rogon     pepper      KRB5     TGS-REQ
   8 24   pepper    rogon       KRB5     TGS-REP
   9 24   rogon     pepper      UDP      Source port: 1144  Dest port: krb524
  10 24   pepper    rogon       UDP      Source port: krb524  Dest port: 1144
  11 24   rogon     openafs     AFS (RX) PROT Request: name-to-id (504)
  12 24   openafs   rogon       AFS (RX) PROT Reply: name-to-id (504)
  13 24   rogon     openafs     RX       ACK  Seq: 0  Call: 1  Source Port: 114
  16 31   rogon     openafs     AFS (RX) FS Request: fetch-status (132)
  17 31   openafs   rogon       RX       CHALLENGE  Seq: 0  Call: 0  Source Por
  18 31   rogon     openafs     RX       RESPONSE  Seq: 0  Call: 0  Source Port
  19 31   openafs   rogon       RX       ACK  Seq: 0  Call: 1  Source Port: afs
  20 32   openafs   rogon       RX       ABORT  Seq: 0  Call: 0  Source Port: a
  21 32   rogon     openafs     AFS (RX) FS Request: fetch-status (132)
  22 32   openafs   rogon       RX       ACK  Seq: 0  Call: 1  Source Port: afs
  23 32   rogon     openafs     RX       ACK  Seq: 0  Call: 1  Source Port: afs
  24 32   openafs   rogon       AFS (RX) CB Request: who-are-you (212)
  25 32   rogon     openafs     AFS (RX) CB Reply: who-are-you (212)
  26 32   openafs   rogon       RX       ACK  Seq: 0  Call: 3  Source Port: afs
  27 32   openafs   rogon       AFS (RX) FS Reply: fetch-status (132)
  28 32   rogon     openafs     RX       ACK  Seq: 0  Call: 1  Source Port: afs

Where:

	rogon		AFS client
	openafs		AFS server
	rogon		KDC

And I seem to have an appropriate ticket cached:

dhowells>klist
Ticket cache: FILE:/tmp/krb5cc_4043
Default principal: dhowells@CAMBRIDGE.REDHAT.COM

Valid starting     Expires            Service principal
09/01/03 15:23:11  09/02/03 01:23:11  krbtgt/CAMBRIDGE.REDHAT.COM@CAMBRIDGE.REDHAT.COM
09/01/03 15:23:35  09/02/03 01:23:11  afs/cambridge.redhat.com@CAMBRIDGE.REDHAT.COM


Kerberos 4 ticket cache: /tmp/tkt4043
klist: You have no tickets cached


But I'm not sure whether aklog should result in a ticket winding up in the
Krb4 cache as well.

David