[OpenAFS] One more plea for a transparent Krb5 implementation of klog

Douglas E. Engert deengert@anl.gov
Wed, 27 Apr 2005 15:10:34 -0500 

This sounds like a IAKERB version of aklog?
<draft-ietf-cat-iakerb-09.txt>

1. Abstract

    This document defines extensions to the Kerberos protocol
    specification (RFC 1510 [1]) and GSSAPI Kerberos protocol mechanism
    (RFC 1964 [2]) that enables a client to obtain Kerberos tickets for
    services where the KDC is not accessible to the client, but is
    accessible to the application server. Some common scenarios where
    lack of accessibility would occur are when the client does not have
    an IP address prior to authenticating to an access point, the client
    is unable to locate a KDC, or a KDC is behind a firewall. The
    document specifies two protocols to allow a client to exchange KDC
    messages (which are GSS encapsulated) with an IAKERB proxy instead of
    a KDC.



John Tang Boyland wrote:

> As OpenAFS moves toward supporting Kerberos 5 natively, I would
> like to make the request that it be done in the style of current AFS's
> klog and not in the style of 'aklog.'
> 
> (1) aklog requires one to have specific kerberos 5 libraries
> (2) aklog requires one to install kerberos 5 and maintain a /etc/krb5.conf
>     on every client
> (3) krb5.conf is full of cell-specific information
> 
> Currently if one has a client for one cell of AFS, it's easy to start
> accessing things in a different cell given an ID and a password.  All
> that would change if one had to use aklog.  The client's krb5.conf
> file has to have sections added to handle the peculiarities of the new
> cell.  When I've mentioned this before, I was told that why should one
> worry about krb5.conf since administrators already need to do so much
> else (AFS configuration for instance). Perhaps, but in this case, the
> administrators would have to handle foreign cells too.
> 
> What I'd like to see is OpenAFS define a ka-forwarder on database machines
> that understands Kerberos5 so that a (new) klog could use the new
> Kerberos5 abilities without needing a krb5.conf.  The ka-forwarder would
> need to be configured with krb5.conf stuff but only for the local
> cell, and the need to do so should come as no surprise.  For clients,
> CellServDB would contain all that is needed to access a foreign cell.
> 
> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444