[OpenAFS] openafs and dce cell

Douglas E. Engert deengert@anl.gov
Tue, 08 Nov 2005 14:25:40 -0600 

Derek T. Yarnell wrote:

> So we are moving out of DCE/DFS and I need to be able to run them side 
> by side for a bit.  Obviously I can't run krb542d on the DCE cell. 

Yes you can!

If you use the -k option, to use a keytab instead of a database.  We used
to run DCE till 2001. One of the first mods was to aklog (ak5log)  was to never
requested a k4 ticket from the DCE KDC but to get a K5 ticket for afsx/<cell>@<realm>.
The krb524d (using the MIT libraries, not DCE) would use the key  from the keytab
file to decrypt the ticket, then would create a k4 ticket and encrypt it in one
of the keys found in a copy of the AFS KeyFile. With this method the key, kvno
and enctype of the K5 principal and the AFS KeyFile do NOT have to match.

This same trick now works with Windows AD that does not support k4 either
and we run both krb524d and gssklogd.


> But 
> I can get a krb5 ticket out and that works fine, I thought there was now 
> support for converting krb5 tickets into tokens without the need of a 
> 524d? Or am I stuck with gssklog until I convert over to a MIT KDC with 
> the 524d?

(I wish you would not use the term stuck :-) You should be able to use the 1.4.0
aklog as others have responded that can use the K5 ticket directly. This does
require the key and kvno in the database to match one of the keys in the AFS
KeyFile. I wrote a program cpwkey.c in 1996 to use with DCE.

   "The cpwkey.c routine can be used to change a key in the DCE registry,
    by adding the key directly, or by setting the salt/pepper and password
    or by providing the key and the pepper. This could be useful when
    coping keys from a K4 or AFS database to DCE. It can also be used when
    setting a DCE to K5 cross-cell key.  This program is a test program
    For mass inserts, it should be rewritten to read from stdin."

If this helps, it can be found at:

ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5dce.20010824.tar

If you want the ak5log or krb524d mods for krb5-1.4.1 let me know.


> 
> I should know this by now but my brain hurts after repeated beatings by 
> users. :)
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444