[OpenAFS] Native Kerberos 5 authentication in openafs-1.4

Earl Shannon Earl_Shannon@ncsu.edu
Thu, 15 Sep 2005 08:12:24 -0400 

Hello,

While probably not the case I can only hope that the exclusion of the tools
is because they want to do a better job of inter operating with the KDC.
In my opinion that would mean dropping the need for aklog and asetkey.
After all aklog is basically a second authentication. Why can't the 
authentication
take place the same way as say, using an IMAP server?. You access the 
server,
( cd to /afs ) and get asked for your credentials. Since you, hopefully, 
have a
tgt already from logging in you should be good to go.  This whole concept is
pretty old in Internet time, its called single-sign on.

And asetkey simply puts the principal afs into a keyfile that afs knows how
to read. Well, make afs read the kerberos key file where it is as it is.

Sadly both are easier said than done. However, this makes the two tools
unnecessary. But, I'm guessing none of this will happen soon. And a more
likely reason they aren't included now is probably because no ones
gotten a round tuit yet. :)

Regards,
Earl Shannon

Timothy G. Flynn wrote:

> Hello,
>
>   The announcement for openafs-1.4.0rc1 contains the following 
> statement :
>
>       "This release allows all Kerberos 5 KDCs including Microsoft Active
>        Directory to be the source of AFS client authentication."
>
>  
>    While I have been able to get this working (without using krb524d) 
> doing so required using two tools which are not readily provided by 
> the openafs source distribution : aklog and asetkey.  aklog is 
> included in openafs-1.4 but is not installed even when  the source  
> distribution has been configured with the --with-krb5 (or 
> --with-krb5-conf) option.   asetkey is not included with openafs and 
> must be installed from a separate package.
>
>   Is there another procedure for configuring krb5 authentication that 
> does not require these tools ?  If so I have found no information on 
> the web concerning it ?
>
>   If not, would it not be advisable to distribute the required tools 
> with openafs given that most new installations are likely to want to 
> use krb5 authentication ?
>
>   This post refers to my experience with RC3.  If these issues have 
> been addressed in RC4, which I have not yet installed, my apologies.
>
> Thanks,
> Tim Flynn
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info