[OpenAFS] OpenAFS in Mixed 1.2/1.3 environment

Gurganus, Brant L gurganbl@rose-hulman.edu
Wed, 28 Sep 2005 11:05:39 -0500 

Thank you for the information.  You were correct about those version
numbers.  I was thinking they were in sync with the clients.  Anyhow, I
seem to have been able to authenticate the cs.rose-hulman.edu domain
with klog and was able to modify files that the ACLs indicate I should
not be able to modify unless I was authenticated.  I will relay the
information on to the cs.rose-hulman.edu administrator.

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com]=20
Sent: Wednesday, September 28, 2005 10:54 AM
To: Gurganus, Brant L
Cc: OpenAFS information
Subject: Re: [OpenAFS] OpenAFS in Mixed 1.2/1.3 environment

Gurganus, Brant L wrote:
> The rose-hulman.edu AFS domain uses AFS 1.3 or newer meaning Kerberos
5
> or newer for authentication.  The cs.rose-hulman.edu AFS domain uses
AFS
> 1.2 authenticating agains Kerberos 4 still until it can be upgraded.
Is
> there a way to contact both servers?  At a minimum,  I think Leash
> should allow me to get the kerberos tickets for rose-hulman.edu which
it
> does as well as the cs.rose-hulman.edu tickets which it does not.  It
> gives a bad password error code for cs.rose-hulman.edu when the
password
> is correct.

I'm not sure that you are providing the correct information.  The
rose-hulman.edu AFS servers are running version OpenAFS 1.2.13 and uses
a Kerberos 5 realm ROSE-HULMAN.EDU for authentication.

The cs.rose-hulman.edu AFS server is running version OpenAFS 1.0.4.
Does this cell use the ROSE-HULMAN.EDU realm for authentication (it
could) or does it use the "kaserver"?   I am going to assume for the
rest of this discussion that it is using the "kaserver".

The answer your question based upon the assumption that
cs.rose-hulman.edu is using the CS.ROSE-HULMAN.EDU kaserver realm for
authentication is that you can access both AFS cells but you can only
obtain tickets using Leash32 for ROSE-HULMAN.EDU.   KFW 2.6.x expects
the KDC to support Kerberos 5.   Although Leash32 can obtain a Kerberos
4 TGT it will do so after trying to obtain a Kerberos 5 TGT and will
then try to convert it using the krb524 daemon.

To access the cs.rose-hulman.edu cell you will need to use the
"klog.exe" that comes with OpenAFS and authenticate separately.

The OpenAFS you are running is quite old and really should be upgraded
to at least OpenAFS 1.2.13 if not the forthcoming 1.4.0.   Once this
upgrade is performed it would be possible to allow the cell to use the
ROSE-HULMAN.EDU realm for authentication.   The AFS service tickets for
cs.rose-hulman.edu would be of the form

	afs/cs.rose-hulman.edu@ROSE-HULMAN.EDU

The cs.rose-hulman.edu cell would have its krb.conf file edited (or
created) to specify ROSE-HULMAN.EDU.   If there is a need for
CS.ROSE-HULMAN.EDU to maintain its own Kerberos realm, the kaserver can
be replaced with either Heimdal or MIT Kerberos.

Jeffrey Altman