[OpenAFS] Kerberos4 needed for windows logon?
Bo Nygaard Bai
bai@es.aau.dk
Sun, 29 Aug 2010 18:36:21 +0200
I have recently migrated our old AFS cell from kaserver to Heimdal with
kaserver emulation. Yes, I know! This was probably the last cell to do
this.
Basically i did this:
* Make a copy of the kaservers database
* Import the database into Heimdal (using hprop | hpropd from the FAQ)
* Install Heimdal slave KDCs on all AFS database servers
* Enable kaserver emulation on the Heimdal slave KDCs
This works perfectly for all our Unix variants. But existing Windows
clients could not authenticate unless I enable kerberos 4 support and
diable preauthentication for all users.
Heimdal log from Unix klog:
Aug 29 18:27:05 afsdb1 kdc[12185]: AS-REQ (kaserver)
esbensen.@IES.AUC.DK from IPv4:130.225.51.24 for
krbtgt.IES.AUC.DK@IES.AUC.DK
Aug 29 18:27:05 afsdb1 kdc[12185]: Lookup esbensen@IES.AUC.DK succeeded
Aug 29 18:27:05 afsdb1 kdc[12185]: Lookup krbtgt/IES.AUC.DK@IES.AUC.DK
succeeded
Aug 29 18:27:05 afsdb1 kdc[12185]: sending 172 bytes to IPv4:130.225.51.24
Heimdal log from Windows OpenAFS klient:
Aug 29 18:32:18 afsdb3 kdc[6647]: AS-REQ (krb4) bai.@IES.AUC.DK from
IPv4:172.29.18.172 for afs.@IES.AUC.DK
Aug 29 18:32:18 afsdb3 kdc[6647]: Lookup bai@IES.AUC.DK succeeded
Aug 29 18:32:18 afsdb3 kdc[6647]: Lookup afs@IES.AUC.DK succeeded
Aug 29 18:32:18 afsdb3 kdc[6647]: sending 102 bytes to IPv4:172.29.18.172
It feels like a step backwards on security from using the kaserver.
Does the openafs client for Windows only work with kerberos4?
Do I really need to diable preauthentication until all clients have
switched to use the MIT tools?
/Bo Bai