[OpenAFS] Newbie krb524 question

Jeffrey Altman jaltman@columbia.edu
Thu, 10 Jun 2004 14:34:07 -0400


This is a cryptographically signed message in MIME format.

--------------ms060203050405020503090301
Content-Type: multipart/mixed;
 boundary="------------060103030506070407030309"

This is a multi-part message in MIME format.
--------------060103030506070407030309
Content-Type: multipart/alternative;
 boundary="------------040509020701070109070205"


--------------040509020701070109070205
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Justice, William (WJJ.) wrote:

> Sorry for the newbie question... Is there any documentation on setting 
> up krb524?  Google didn't show much...
>
> Is it possible to run it on my active directory server (windows 
> 2000)?  Do I need to do anything special on the windows AFS client or 
> my linux AFS server?
>
>-- Bill
>
The attached readme is the only documentation on the krb524d service.    
The information on the internals of the library
are out of date as the library no longer exists and equivalent 
functionality has been added to the krb5 library but using
different function names and prototypes.

You want to use krb524d with the keytab option.

Jeffrey Altman



--------------040509020701070109070205
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Justice, William (WJJ.) wrote:
<blockquote
 cite="mid752E6D5014672D458A593B5E7A3CD5F508A8FAD8@na1fcm51.dearborn.ford.com"
 type="cite">
  <meta http-equiv="Content-Type" content="text/html; ">
  <meta name="Generator" content="Microsoft Word 10 (filtered)">
  <style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:#606420;
	text-decoration:underline;}
pre
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.EmailStyle17
	{font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
  </style>
  <div class="Section1">
  <p class="MsoNormal"><span
 style="font-size: 10pt; font-family: Arial;">Sorry for the newbie
question&#8230; Is there any
documentation on setting up krb524? &nbsp;Google didn't show much&#8230; </span></p>
  <p class="MsoNormal"><span
 style="font-size: 10pt; font-family: Arial;">Is it possible to run it
on my active directory server
(windows 2000)?&nbsp; Do I need to do anything special on the windows AFS
client
or my linux AFS server?</span></p>
  <pre><span style="font-size: 10pt;">-- Bill
</span></pre>
  </div>
</blockquote>
The attached readme is the only documentation on the krb524d
service.&nbsp;&nbsp;&nbsp; The information on the internals of the library <br>
are out of date as the library no longer exists and equivalent
functionality has been added to the krb5 library but using<br>
different function names and prototypes.<br>
<br>
You want to use krb524d with the keytab option.<br>
<br>
Jeffrey Altman<br>
<br>
<br>
<blockquote
 cite="mid752E6D5014672D458A593B5E7A3CD5F508A8FAD8@na1fcm51.dearborn.ford.com"
 type="cite">
  <div class="Section1">
  <pre><span style="font-size: 10pt;"></span></pre>
  </div>
</blockquote>
</body>
</html>

--------------040509020701070109070205--

--------------060103030506070407030309
Content-Type: text/plain;
 name="README"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="README"

Copyright 1994 by OpenVision Technologies, Inc.

Permission to use, copy, modify, distribute, and sell this software
and its documentation for any purpose is hereby granted without fee,
provided that the above copyright notice appears in all copies and
that both that copyright notice and this permission notice appear in
supporting documentation, and that the name of OpenVision not be used
in advertising or publicity pertaining to distribution of the software
without specific, written prior permission. OpenVision makes no
representations about the suitability of this software for any
purpose.  It is provided "as is" without express or implied warranty.

OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.


Kerberos V5 to Kerberos V4 Credentials Converting Service, ALPHA RELEASE
========================================================================

krb524 is a service that converts Kerberos V5 credentials into
Kerberos V4 credentials suitable for use with applications that for
whatever reason do not use V5 directly.  The service consists of a
server that has access to the secret key of the Kerberos service for
which credentials will be converted, and a library for use by client
programs that wish to use the server.

The protocol is simple.  Suppose that a client C wishes to obtain V4
credentials for a V5 service S by using the krb524 server.  The
notation {C,S}_n represents a Vn service ticket for S for use by C.

(1) C obtains V5 credentials, including a ticket {C,S}_5, for S by the
normal V5 means.

(2) C transmits {C,S}_5 to KRB524.

(3) KRB524 converts {C,S}_5 into {C,S}_4.

(4) KRB524 transmits {C,S}_4 to C.

(5) C creates a V4 credentials strucuture from the plaintext
information in the V5 credential and {C,S}_4.

Steps (2) through (4) are encapsulated in a single function call in
the krb524 library.

An alternate conversion is provided for AFS servers that support the
encrypted part of a krb5 ticket as an AFS token.  If the krb524d is
converting a principal whose first component is afs and if the
encrypted part of the ticket fits in 344 bytes, then it will default
to simply returning the encrypted part of the ticket as a token.  If
it turns out that the AFS server does not support the ticket, then
users will get an unknown key version error and the krb524d must be
configured to use v4 tickets for this AFS service.


Obviously, not all V5 credentials can be completely converted to V4
credentials, since the former is a superset of the latter.  The
precise semantics of the conversion function are still undecided.
UTSL.

Programs contained in this release
======================================================================

krb524d [-m[aster]] [-k[eytab]]

The krb524 server.  It accepts UDP requests on the krb524 service
port, specified in /etc/services, or on port 4444 by default.  (A
request for an official port assignment is underway.)  The -m argument
causes krb524d to access the KDC master database directly; the -k
argument causes krb524d to use the default keytab (and therefore only
be able to convert tickets for services in the keytab).  Only one of
-m or -k can be specified.

test -remote server client service

A test program that obtains a V5 credential for {client,service},
converts it to a V4 credential, and prints out the entire contents of
both versions.  It prompts for service's secret key, which it needs to
decrypt both tickets in order to print them out.  Enter it as an eight
digit ASCII hex number.

k524init [-n] [-p principal]

Convert a V5 credential into a V4 credential and store it in a V4
ticket file.  The client is 'principal', or krbtgt at the V5 ccache's
default principal's realm if not specified.  The -n argument causes
the new ticket to be added to the existing ticket file; otherwise, the
ticket file is initialized.

Configuring krb524d AFS Conversion
======================================================================

The krb524d looks in the appdefaults  section of krb5.conf for an
application called afs_krb5 to determine whether  afs principals
support encrypted ticket parts as tokens.  The following configuration
fragment says that afs/sipb.mit.edu@ATHENA.MIT.EDU supports the new
token format but afs@ATHENA.MIT.EDU and
afs/athena.mit.edu@ATHENA.MIT.EDU do not.  Note that the default is to
assume afs servers support the new format.

[appdefaults]
afs_krb5 = { 
	ATHENA.MIT.EDU = {
		# This stanza describes principals in the
		#ATHENA.MIT.EDU realm
		afs = false
		afs/athena.mit.edu = false
		afs/sipb.mit.edu = true
	}
}


Using libkrb524.a
======================================================================

To use libkrb524.a, #include "krb524.h", link against libkrb524.a,
call krb524_init_ets() at the beginning of your program, and call one
of the following two functions:

int krb524_convert_creds_addr(krb5_creds *v5creds, CREDENTIALS *v4creds,
			 struct sockaddr *saddr)

int krb524_convert_creds_kdc(krb5_creds *v5creds, CREDENTIALS *v4creds)

Both convert the V5 credential in v5creds into a V4 credential in
v4creds.  One assumes krb524d is running on the KDC, the other uses an
explicit host.  You only need to specify the address for saddr; the
port is filled in automatically.

Unresolved issues / Bugs
======================================================================

o krb524d requires access to the secret key of any service to be
converted.  Should krb524d run on the KDC or on individual server
machines?  The latter is more paranoid, since it prevents bugs in
krb524d from provided unauthorized access to the master database.
However, it also requires the client to provide the address of the
server to be used.  The client will usually have this information
(since presumably it will be sending the converted V4 credentials to
the same server) but it may not be in a convenient form.  It seems
"cleaner" to have krb524d run on the KDC.

o Even if krb524d uses keytabs on server machines, it needs to be more
flexible.  You only want to run one krb524d per host, so it has to be
able to scan multiple keytabs.  This might get logistically messy.

o This code is of alpha quality.  Bugs, omissions, memory leaks, and
perhaps security holes still remain.  Do not use it (yet) in a
production environment.

--------------060103030506070407030309--

--------------ms060203050405020503090301
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPzCC
AvowggJjoAMCAQICAwxk8TANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTI3MTc1ODU4WhcNMDUwNTI3MTc1ODU4
WjBrMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT
SmVmZnJleSBFcmljIEFsdG1hbjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5l
ZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc3JqO5AsZrozd+mJ2mPuCTYo2
+nJ9Qq6jtUYtp7YTMW4d2Q6GLhNaHb1l9m74SxuY4f5vP6JtZjr6p9+LCCxD0w0NVLKRgUDp
z+tKFitbkJe9BSCxCURRvY3vdWA71gSCUvZAN3346hHb4oGVqgdpmfFJXYAHWpC46wiL72N9
WxySzY17/0eU0c8+r9dNoLpPQeL43O66O80jCl1qnXMaXaakZPsfm+5W90MYXhpQ1WIQpv02
lBn3BH5YE8xwbsNrw5AF4v7pjMuW85GI6FrDmfbpJX473Rpl5rmv3TpXkJ+7UsIIO1puyS8r
1o7kjDZ5EUYJxxglTGR6XL/RNzqHAgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29s
dW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAZYeVFCMP0iV+UVa0
eFoXkzMVl61CNAVY2YQ9/QQazO3G4qNiif35ArrnjPRDRj5M7WTeOCFqPVuvCttyJRiDKsEe
L4Yah22mRA3mR7x52j2FquPYZ9qCr1IhrNGzsMk+gopX5G0fTHZb6+uDu5SeMPNNcIznGA7M
CMpXAJ2PcKgwggL6MIICY6ADAgECAgMMZPEwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA0MDUyNzE3NTg1OFoXDTA1
MDUyNzE3NTg1OFowazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMx
HDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRtYW5A
Y29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3NyajuQLGa6M
3fpidpj7gk2KNvpyfUKuo7VGLae2EzFuHdkOhi4TWh29ZfZu+EsbmOH+bz+ibWY6+qffiwgs
Q9MNDVSykYFA6c/rShYrW5CXvQUgsQlEUb2N73VgO9YEglL2QDd9+OoR2+KBlaoHaZnxSV2A
B1qQuOsIi+9jfVscks2Ne/9HlNHPPq/XTaC6T0Hi+NzuujvNIwpdap1zGl2mpGT7H5vuVvdD
GF4aUNViEKb9NpQZ9wR+WBPMcG7Da8OQBeL+6YzLlvORiOhaw5n26SV+O90aZea5r906V5Cf
u1LCCDtabskvK9aO5Iw2eRFGCccYJUxkely/0Tc6hwIDAQABozEwLzAfBgNVHREEGDAWgRRq
YWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAGWH
lRQjD9IlflFWtHhaF5MzFZetQjQFWNmEPf0EGsztxuKjYon9+QK654z0Q0Y+TO1k3jghaj1b
rwrbciUYgyrBHi+GGodtpkQN5ke8edo9harj2Gfagq9SIazRs7DJPoKKV+RtH0x2W+vrg7uU
njDzTXCM5xgOzAjKVwCdj3CoMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENB
MSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcx
NzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnK
mVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8
YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4
oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowg
T2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAzswggM3AgEB
MGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMZPEw
CQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMDQwNjEwMTgzNDA3WjAjBgkqhkiG9w0BCQQxFgQUSgl1iRdgf/k9ZevoMSmX1laq0/4w
UgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwxk8TB6BgsqhkiG9w0B
CRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AgMMZPEwDQYJKoZIhvcNAQEBBQAEggEAaCbOcoLMYD0JdOqfExEcSgz1RmHhp6Eao6EZqSWM
/Vg9Atd/M7yfwRGnsfgE9X+z15bpU1b9xwzJ2HHEN9ILmppBSAVTBRgp0XSHhwxD3Nz+jevh
RHOC6NM6XkFa8OJfO7iczGQRBPKqeaexbXAY7yx94HKfEXre8xOtm0ObQciJZM4SVDGeZs5Z
85v5+8xh6eeA5GNFE+8+JBXoWbyK0a75iPoe+iNDiabZq8cDK9guP2KgKB3loFMFk3ugUrjE
PHjtdKA8XRzaIeW0Yz9VN52bu7602LUn39Cx/1GlBRk7xz44ETPQAP68PpZtf8x0MpwLYAYp
GLm3wJcb5c8l2gAAAAAAAA==
--------------ms060203050405020503090301--