[OpenAFS] Windows 2000 AD and fakeka

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 27 Jun 2005 19:10:06 -0400

On Wednesday, June 22, 2005 07:06:42 AM -0400 Jeffrey Altman 
<jaltman@columbia.edu> wrote:

> Ming Hou wrote:
>> Hi,
>> I would like to have fakeka to work with Windows 2000 AD, and I think
>> that fakeka is going to run on my AFS database server. Are there some
>> successful cases to make it works? If yes, how should I do to set it up?
>> Thank you.
>> ming
> fakeka provides a Kerberos 4 service.   Active Directory does not
> support Kerberos 4.   You would have to write one that had access to
> the user's password and the key associated with the afs service.

Actually, fakeka provides the kaserver service, not Kerberos 4.  It 
provides support for the kaserver authentication service (the equivalent of 
the Kerberos AS and TGS), and to do so it needs access to the contents of 
the Kerberos database, which means it must run on the KDC (not the AFS 
database servers), and the KDC must use a database format it understands.

The support (or lack thereof) of Kerberos 4 in the Windows AD is not at 
issue here; the database format is.  The current fakeka code understands 
only the MIT Kerberos database format (in fact, it doesn't even understand 
that -- it uses an internal Kerberos database API).  The AD database format 
is undocumented, not a public interface, and subject to change between 
versions.  Writing software which accessed it directly would be quite 

Exactly what functionality do you require that you think fakeka will help 
you with?  Perhaps we can help you find another way to get what you need.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA