[OpenAFS] 'afs' principal
Tue, 30 Oct 2007 09:11:20 -0400
The exact clarity of explanation I was looking for.
For some reason my ignorance of the keytab format
compatibility issue was making things pretty muddled.
I was sure something more special was going on.
Jeffrey Altman wrote:
> Jason Edgecombe wrote:
>> Jeff Blaine wrote:
>>> Something I've never been very clear on as part of the
>>> conversion to Kerberos 5: The whole asetkey and afs
>>> principal operation.
>>> Could anyone explain what is going on there in detail
>>> for my (and everyone's) understanding/documentation?
>> Hi Jeff,
>> Here is my (possibly flawed) understanding of the background:
>> The afs@REALM kerberos principle is the crypto key that all AFS servers
>> use to talk to once another. A client authenticates to kerberos and then
>> runs aklog to get a ticket for the AFS service. It does this by having
>> the asking the KDC for the afs/CELLNAME@REALM, then afs@REALM service
>> principals using whichever is found first.
>> The key for the afs/CELL@REALM principal or afs@REALM principal is used
>> by all AFS servers and resides in the Keyfile. The asetkey command takes
>> the kerberos keytab for the kerberos afs principal and stores it in the
>> Keyfile in a format that the AFS server understands.
>> Someone please correct me if I'm wrong.
> You got it right. The language is just a bit off.
> afs/cellname@REALM (or afs@REALM which using the older convention) is
> the Kerberos v5 service principal for the AFS cell. The key assigned to
> that principal must be single DES. You create the key in the KDC
> database and then export it to a Kerberos v5 keytab file (as you would
> for any Kerberos v5 authenticated service.) AFS servers do not
> understand the Kerberos v5 keytab format. Instead they have their own
> equivalent, the KeyFile. asetkey copies the an entry out of a Kerberos
> v5 keytab and stores it into the AFS KeyFile.
> The key in the AFS KeyFile is used for authentication between the AFS
> clients and the AFS Servers and is also used for authenticated
> communication between the servers themselves.
> Jeffrey Altman