[OpenAFS] kaserver//k5 parallel migration

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 19 Jan 2007 11:01:37 -0500


The reason it works from both kaserver and AD is that the kvno
for the two keys is different.   Therefore, when parsing the
service ticket, the file server (or other AFS server) is able
to select the correct key to use to decrypt the service ticket
the client is sending.

You do want to use the +DesOnly option.  If I previous typed '-'
it was a typo.

Jeffrey Altman

John W. Sopko Jr. wrote:
> I got this to work! That is I turned the kaserver back on and
> made sure the kvno were different in /usr/afs/etc/KeyFile. On
> the same machine I can do klog to the kaserver and things seem to work
> fine. Or I can kinit/aklog! Pretty nice! I also tested on another linux
> machine.
> I do not quite understand why it works though. The fileserver is
> using the afs service keys from AD since the krb.conf file is
> pointing to the AD realm, or the -realm option to the fileserver :-).
> If you klog to the kasserver you get a TGT from the kaserver. I think
> the kaserver then issues you a TGS afs service ticket the one generated
> from "bos setkey" . But the fileserver is pointing to the AD afs service
> ticket. I tried reading how service ticket works and have to admit I do
> not fully understand them.
> I even made my user passwords different in the kaserver and
> the AD server and it still works fine! I just want to be sure this
> will work and why. This will be a fantastic migration path for us and I
> am sure others. I think this will work whether or not you are using
> a MIT/Heimdal or Windows KDC server.
> As I said, I will put together the steps for all of this. Just need
> some more time. BTW, Microsoft sent me the new ktpass. I still want
> to put it through more testing and understand the options better.
> I hope to work on this this afternoon.
> One ktpass questions. You originally told me to use the "-DesOnly"
> option, there is a + or - option to the command, the - turns
> this option off. I believe we want it on "+DesOnly". Does
> this option force a single DES key? Again just trying to
> understand more detail. I used "+DesOnly" with ktpass to create
> my working keytab.
> I just installed the the windows openafs 1.5.1302 client. Looks
> good! I will be testing on how to migrate it soon.
> Thanks for all your help.
>>> -----------
>>> Once I get Windows AD working can I run both our current kaserver and
>>> Windows AD authentication against our production cs.unc.edu openafs cell
>>> at the same time? If I can generate afs/cs.unc.edu service pincipals
>>> with the same password on the kaserver and the AD server will this work?
>>> This may be a good migration path for us. We currently have 2 password
>>> databases, kaserver and Windows AD. When we create accounts we use the
>>> same user login name for both wndows and linux. Most users keep their
>>> passwords the same so logging into Windows gives them an afs token.
>>> Even if they don't we just tell them to use their Windows password
>>> as we migrate machine configurations.
>>> This way we can migrate machines to authenticate to "Windows AD only"
>>> over a short period of time and start testing real live systems.
>>> First I have to get Windows AD afs service pricnipal working.
>> AFS only stores DES keys by key version number.  Ensure that your
>> kaserver key and your AD key have different version numbers and
>> you will be just fine.
>> Jeffrey Altman