[OpenAFS] windows AFSclient asks VLDB-server for krb-tokens

Jeffrey Hutzelman jhutz@cmu.edu
Thu, 06 May 2004 13:42:32 -0400 

On Thursday, May 06, 2004 12:09:47 +0200 Jimmy Engelbrecht <jimmy@e.kth.se> 
wrote:

> Jimmy Engelbrecht <jimmy@e.kth.se> writes:
>
>> 2) how do other people solve this issue ?
>
> It just came into my mind that most people run kaserver, however our
> AFS-cell that was set up 11 years ago was initially setup without
> a kaserver ...
>
> the question remains ... what do peolpe do that run heimdal or MIT kdc's
> instead of a kaserver.

Some folks run their KDC's on their dbservers, as Derrick described.


When we were running MIT V4 KDC's, we ran a 'fakeka' service on the KDC, 
and a forwarder on the dbservers, both of which were developed here.  The 
forwarder was stateless; each request sent to the fakeka server by a 
forwarder included information about where the request came from, which 
would be copied into the response so the forwarder would know where to send 
it.  Ken Hornstein ported the fakeka server to work with MIT's V5 server, 
and included it in his migration kit.  We began running that when we 
upgraded to a V5 KDC, using the same forwarders.

The migration toolkit, including the fakeka server for MIT KDC's, is 
available at /afs/grand.central.org/contrib/security/afs-krb5

I can make the ka-forwarder available to people who need it.

During that time, we dealt with Windows boxes by lying to them, and telling 
them that our primary KDC was also a dbserver (and first in the list). 
That allowed authentication to work, and the cache manager would only have 
to time out the phony vlserver once.


When we switched to Heimdal, we stopped needing a separate fakeka server, 
because the Heimdal KDC includes this functionality.  Since then we've run 
what's probably the same forwarder you're using.  We run three copies; one 
each for ports 88, 750, and 7004.  New windows installations no longer have 
the KDC added to the dbserver list, and work fine.  We've been running with 
this configuration for several months.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA