[OpenAFS] Kerberos4 needed for windows logon?

Jeffrey Altman jaltman@secure-endpoints.com
Sun, 03 Oct 2010 10:30:02 -0400 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD1BB073AD127C24B124509D6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

The Windows OpenAFS client does not support the rx based kaserver
protocol.  It only supports the Kerberos v4 protocol which was also
supported by kaserver.  For Kerberos v5 support, the users must install
a Kerberos v5 implementation.  The only one supported at present is MIT
Kerberos for Windows.  Heimdal support will be available shortly.

Jeffrey Altman


On 8/29/2010 12:36 PM, Bo Nygaard Bai wrote:
> I have recently migrated our old AFS cell from kaserver to Heimdal with=

> kaserver emulation. Yes, I know! This was probably the last cell to do
> this.
>=20
> Basically i did this:
>=20
>  * Make a copy of the kaservers database
>  * Import the database into Heimdal (using hprop | hpropd from the FAQ)=

>  * Install Heimdal slave KDCs on all AFS database servers
>  * Enable kaserver emulation on the Heimdal slave KDCs
>=20
> This works perfectly for all our Unix variants. But existing Windows
> clients could not authenticate unless I enable kerberos 4 support and
> diable preauthentication for all users.
>=20
> Heimdal log from Unix klog:
> Aug 29 18:27:05 afsdb1 kdc[12185]: AS-REQ (kaserver)
> esbensen.@IES.AUC.DK from IPv4:130.225.51.24 for
> krbtgt.IES.AUC.DK@IES.AUC.DK
> Aug 29 18:27:05 afsdb1 kdc[12185]: Lookup esbensen@IES.AUC.DK succeeded=

> Aug 29 18:27:05 afsdb1 kdc[12185]: Lookup krbtgt/IES.AUC.DK@IES.AUC.DK
> succeeded
> Aug 29 18:27:05 afsdb1 kdc[12185]: sending 172 bytes to IPv4:130.225.51=
=2E24
>=20
> Heimdal log from Windows OpenAFS klient:
> Aug 29 18:32:18 afsdb3 kdc[6647]: AS-REQ (krb4) bai.@IES.AUC.DK from
> IPv4:172.29.18.172 for afs.@IES.AUC.DK
> Aug 29 18:32:18 afsdb3 kdc[6647]: Lookup bai@IES.AUC.DK succeeded
> Aug 29 18:32:18 afsdb3 kdc[6647]: Lookup afs@IES.AUC.DK succeeded
> Aug 29 18:32:18 afsdb3 kdc[6647]: sending 102 bytes to IPv4:172.29.18.1=
72
>=20
> It feels like a step backwards on security from using the kaserver.
>=20
> Does the openafs client for Windows only work with kerberos4?
>=20
> Do I really need to diable preauthentication until all clients have
> switched to use the MIT tools?
>=20
> /Bo Bai
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20


--------------enigD1BB073AD127C24B124509D6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJMqJNsAAoJENxm1CNJffh4WEsIAIDRtDJPerrsvlN2jQCS2XZ4
WC8AmR3cYbcFOU0yvWT2A77/HNhNig/nX299VYdRkGDlv36WXt67BXK2XxFVxi3r
6xadgOdNXOwvuMeN1QmizfCy5m4bvXrM2bpk+wf0ipIsVZ7odniQxLEwDa4GWYW0
j1VXVjUfZuPwyG0Sao8dnwZ4hzwcaFzTgLChgw4ty5eZ8/ttp2Y9kn5gtbVXOPHJ
20nq3EonyVfRmHVYBwU/3m3Nbt/0KkYBoudkmE80KEBcpITu+EsUkdZOyM52rnKz
cHC95ht9uv7AXOi88/Er8+bLzgwiRPd9ynoOsXfdg4fMum39kk5+Gg01b50ffpI=
=FTII
-----END PGP SIGNATURE-----

--------------enigD1BB073AD127C24B124509D6--