[OpenAFS] aklog and aklog -524

vladimir konrad v.konrad@lse.ac.uk
Tue, 14 Nov 2006 17:18:40 +0000

thank you for your help,

> Right.  It means that you're running krb524d to return K4 tickets to
> applications that needed them, like AFS.  As of OpenAFS 1.2.8, the
> server supports native K5 tickets, so you shouldn't have to do this
> any longer. The aklog that ships with OpenAFS 1.4 is the new version
> that does native K5 tickets by default (as opposed to the version
> that shipped with sarge, which was from the Kerberos Migration Kit
> and did 524 by default).

also the debian people hinted that the pam-openafs-session module is
going to be replaced with a new re-write...

> > when doing aklog from sarge, the kerberos server log shows two
> > requests for principals:
> > 	afs/domain-name@kerberos-realm
> > 	afs@kerberos-realm
> > when doing the same from etch with -524 option, the log shows only
> > one request for principal:
> > 	afs/domain-name@kerberos-realm
> > there is only one principal in the kerberos database for afs:
> > afs@kerberos-realm.
> But the latter works anyway?

yes it does, if i run aklog on etch with the -524 the aklog itself
succeeds and /afs is accessible. if i do the same without the -524, the
aklog on etch succeeds but the /afs in inaccessible...

> You can double-check this in kadmin with getprinc afs@kerberos-realm.
> Note that for native K5 authentication to work, this principal needs
> to have only one key which is of type des-cbc-crc.  The hashes don't
> matter but the encryption type does.  If it has other, stronger
> encryption types, you'll get a K5 service ticket for the stronger
> encryption type, aklog will try to use that as a token, and it won't
> work.

it looks that this is exactly what is happening (wrong encryption type
of the kerberos keys),

kadmin(getprinc afs):

Number of keys: 2
Key: vno 9, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 9, DES cbc mode with CRC-32, no salt

one thing i do not understand is why it has 2 keys (and also do not
understand what is the difference between a principal and a key (my
gaps in understanding this are obvious) - are the keys used for
encryption and the principal is basically a reference to what keys to

> You only have to have afs/cell-name@kerberos-realm if your cell name
> is different than your Kerberos realm.  Otherwise, either will work,
> although the latter form is recommended these days.

afs-cell-name = lower_case(kerberos-realm).

> /usr/share/doc/openafs-fileserver/README.servers.gz may be helpful,
> although it's targetted at new installations rather than upgrades.

i will read this asap.

so, if i create kerberos 5 principal with the correct encryption key
strength, do asetkey on servers, the native kerberos 5 authentication
should work from all - woody, sarge and etch?