[OpenAFS] Re: Windows AFS client / Kerberos V
Tue, 30 Jan 2007 14:33:14 -0500
"Christopher D. Clausen" <firstname.lastname@example.org> replied:
> Joe Buehler <email@example.com> wrote:
> > Converting to Kerberos V has been a bit frustrating -- you can't just
> > follow a recipe, you have to use Google and learn quite a bit about
> > K5 and AFS to work through it all. I'm still learning.
> Well, once you have things working, please write up a recipe for others
> to follow.
My recipe for starting a new cell is here:
Of course there are bits that are afs version & os environment
dependent, or even configuration dependent. For converting
to kerberos V, kenh's notes are still the ones you want.
For key/salt, it doesn't matter what you specify on the
ank line. I use
ank -randkey afs
not because I value the random key, but simply because it
won't prompt for a password.
I then use:
ktadd -e des-cbc-crc:v4 -k /tmp/afs.kt afs
here the encryption type does matter. Somebody commented that the salt
type is ignored. That is almost correct; it checks the spelling and
*then* ignores the type. "v4" is short -- afs3 or normal would work
identically. Doing the ktadd effectively does another "-randkey"; each
time you rerun ktadd, it will change the key & bump the kvno. Probably
the afs documentation should be clearer about this; this seems to be a
common point of confusion.
There is certainly room to improve the afs end of things. Future
versions of openafs should be better about building k5 versions
of aklog/asetkey/klog. Also future vesions of pt should allow
the use of "pts -localauth" to add the first principal to the
pt database, which will obliviate the need to use either "-noauth"
or "pt_util -w" to do this.