[OpenAFS] When Using Kerberos5 is klog necessary?
Derek Atkins
warlord@MIT.EDU
Thu, 01 Jan 2004 14:09:59 -0500
Jeffrey Altman <jaltman@columbia.edu> writes:
> On Windows, the ticket manager (Leash) already performs the following logic:
>
> 1. obtain a k5 tgt for REALM
> 2. obtain default AFS cell
> 3. attempt to obtain a k5 afs/cell@REALM or afs/cell@CELL or afs@CELL
> 4. if successful, perform krb524 on ticket to get k4 afs ticket and
> munge into AFS token
>
> This works fine for one cell. But what if you need to obtain tokens
> for multiple cells
> using the same tgt? The question is how and where to specify that?
>
> Some MIT users for example may require tokens for both the
> athena.mit.edu and the media-lab.mit.edu cells which they could obtain
> using krb5 cross-realm with their ATHENA.MIT.EDU tgt. I thought this
> is the problem which we were attempting to solve.
There are three things that I think MIT users might want to do once they
have Athena kerberos tickets (and AFS tokens):
1) authenticate to an AFS cell that uses the same kerberos realm,
e.g. sipb.mit.edu or dev.mit.edu
2) authenticate to an AFS cell that uses cross-realm, e.g. andrew.cmu.edu
or media-lab.mit.edu
3) authenticate to an AFS cell that uses a different kerberos realm completely,
e.g. transarc.com
Generally, #1 and #2 work by just running "aklog" and that has the
magic to obtain the proper afs service ticket and convert it into a
token. #3 generally requires a second Krb5 Credential Cache.
I think the question is: what should the OpenAFS-1.4 authentication
model be, and what should it assume? Do we want to have a closer tie
to krb5, and if so what's the migration path for existing clients to
the new auth model?
> - Jeff
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available