[OpenAFS] 'afs' principal

Jason Edgecombe jason@rampaginggeek.com
Tue, 30 Oct 2007 08:48:52 -0400

Jeff Blaine wrote:
> Something I've never been very clear on as part of the
> conversion to Kerberos 5: The whole asetkey and afs
> principal operation.
> Could anyone explain what is going on there in detail
> for my (and everyone's) understanding/documentation? 
Hi Jeff,

Here is my (possibly flawed) understanding of the background:

The afs@REALM kerberos principle is the crypto key that all AFS servers
use to talk to once another. A client authenticates to kerberos and then
runs aklog to get a ticket for the AFS service. It does this by having
the asking the KDC for the afs/CELLNAME@REALM, then afs@REALM service
principals using whichever is found first.

The key for the afs/CELL@REALM principal or afs@REALM principal is used
by all AFS servers and resides in the Keyfile. The asetkey command takes
the kerberos keytab for the kerberos afs principal and stores it in the
Keyfile in a format that the AFS server understands.

Someone please correct me if I'm wrong.