[OpenAFS] Support for Kerberos V

Simon Wilkinson sxw@inf.ed.ac.uk
Fri, 6 Nov 2009 14:33:22 +0000


On 6 Nov 2009, at 13:52, Jaap Winius wrote:

> Hi all,
>
> What's the state of support for Kerberos V in the current version of  
> OpenAFS? For instance, is pre-authentication supported yet?

You've been able to run OpenAFS with the REQUIRES_PREAUTH flag set on  
the afs/<cell>@REALM principal for at least the last 5 years. You will  
encounter problems if your realm doesn't have REQUIRES_PREAUTH set on  
its krbtgt service, or if you accept cross-realm tickets from realms  
which don't have preauth turned on.

There are two projects which will bring more complete Kerberos V  
support to AFS (in particular, support for a wider range of encryption  
types). Marcus Watt's rxk5 is functionally complete, but a number of  
issues have to be addressed before it can be merged to the mainline. I  
can't speak to timescales for this - I guess it depends very much on  
how much time Marcus has to spend on it.

The second project is 'rxgk' - this will add support for all GSSAPI  
based security mechanisms, which includes Kerberos V. There is funding  
for the development of this, and there is a delivery deadline of  
August next year. It will then have to be integrated with the  
development branch, and progress into stable. Whilst I'd hope that  
process will be relatively fast, our past record of getting stable  
releases out of the door in a timely fashion isn't great.

Hope that helps!

Simon.