> [Ken Hornstein writes:]
> > >This is why a lot of sites are using Kerberos 4 or 5 instead of the AFS
> > >kaserver - since the TGT stays around, you can use it to get tickets for
> > >other services instead of AFS, and services like POP only need to know
> > >their key, instead of the AFS key.
>
> [Nathan Neulinger writes:]
> > This is not really an option for us... (Not for anyone really who has an
> > already established user base...) Especially since this would mean having
> > to change every server, and every station in the cell... Not even
> > remotely an option.
>
> You don't need to change your kaserver or afsds, if you don't want to. You
> can build K4 libraries that use the string-to-key function AFS uses,
> build your KPOP server against it, leave the rest of your AFS installation
> in place. Works great. There are other, better options, but that one is the
> simplest to do with very limited resources. Thanks to Derrick Brashear,
> lots of good pointers can be found in
> /afs/andrew.cmu.edu/usr/shadow/Public/afs.html.
For what it's worth...
- Transarc ships a number of token-management utilities named with the
suffix '.krb' (klog, unlog, tokens, and maybe even login), which will
manage a Kerberos-style ticket cache (in a file) in addition to the
kernel token cache.
- The AFS kaserver knows how to speak the Kerberos ticket-granting
protocol, so utilities built against standard Kerberos libraries can
use it to get tickets. (But not other operations, like password changes).
- There are patches available for kinit (from here and possibly elsewhere
as well) to make it understand the AFS string-to-key operation, so you
can use kinit to get a TGT from the kaserver. We (CMUCS) also have
patches that automatically get AFS tickets, and add a token to the KTC.
- We currently run a real Kerberos server in CMUCS, and no kaserver at
all. To ease the transition, and deal with users in other cells who
don't have Kerberos utilities at all, we developed a translator of
sorts. This consists of two simple programs. "fakeka" runs on the
kerberos server, and provides a kaserver-like ticket-granting service
to AFS clients. It's not as complete as what a real kaserver can do,
but it makes 'klog' work. The second program, ka-forwarder, is only
necessary if your Kerberos server is on a different machine from the
AFS database servers. It runs on the DBservers, and forwards requests
and responses between clients and the fakeka server. I'm pretty sure
I could send copies of these to anyone who's interested.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Systems Programmer, CMU SCS Research Facility
Please send requests and problem reports to [EMAIL PROTECTED]
