[OpenAFS] Re: Windows AFS client / Kerberos V

Marcus Watts mdw@umich.edu
Tue, 30 Jan 2007 14:33:14 -0500


"Christopher D. Clausen" <cclausen@acm.org> replied:
> Joe Buehler <jbuehler@spirentcom.com> wrote:
> > Converting to Kerberos V has been a bit frustrating -- you can't just
> > follow a recipe, you have to use Google and learn quite a bit about
> > K5 and AFS to work through it all.  I'm still learning.
> 
> Well, once you have things working, please write up a recipe for others 
> to follow.
> 
> <<CDC 

My recipe for starting a new cell is here:
	/afs/umich.edu/user/m/d/mdw/wp/uniq.2k
Of course there are bits that are afs version & os environment
dependent, or even configuration dependent.  For converting
to kerberos V, kenh's notes are still the ones you want.

For key/salt, it doesn't matter what you specify on the
ank line.  I use
	ank -randkey afs
not because I value the random key, but simply because it
won't prompt for a password.
I then use:
	ktadd -e des-cbc-crc:v4 -k /tmp/afs.kt afs
here the encryption type does matter.  Somebody commented that the salt
type is ignored.  That is almost correct; it checks the spelling and
*then* ignores the type.  "v4" is short -- afs3 or normal would work
identically.  Doing the ktadd effectively does another "-randkey"; each
time you rerun ktadd, it will change the key & bump the kvno.  Probably
the afs documentation should be clearer about this; this seems to be a
common point of confusion.

There is certainly room to improve the afs end of things.  Future
versions of openafs should be better about building k5 versions
of aklog/asetkey/klog.  Also future vesions of pt should allow
the use of "pts -localauth" to add the first principal to the
pt database, which will obliviate the need to use either "-noauth"
or "pt_util -w" to do this.

				-Marcus