> > Hello folks. We are running AFS 3.4a with MIT Kerberos V4 as our
> >authentication engine. One of our professors has a standard cell on our
> >site and he'd like to be able to get tokens for our cell without
> >installing any special software, i.e. a kerbros client and aklog. Since
> >our kerberos server isn't running on our database servers and since we're
> >using a different string-to-key routine than normally runs in the AFS
> >Kaserver, is there anything we can do to allow standard installations to
> >get tokens from us with the standard klog program?
>
> Sounds like you need fakeka; it's a CMU-developed program that emulates
> just enough of the AFS kaserver to make "klog" work (and the V4
> string-to-key algorithm isn't a problem; klog already knows about it).
> I ported this to V5, but the original V4 one should work just fine.
>
> I got my copy from Jeff Hutzelman; Jeff, you want to tell us where you
> can get fakeka from?
>
> --Ken
Maybe this should be a FAQ...
The fakeka distribution for Krb4, such as it is, can be found in
/afs/cs.cmu.edu/project/systems-jhutz/afs-dist/fakeka. For people
who aren't attached to the global AFS heirarchy - shame on you!
Nonetheless, I will be happy to send copies via email to any such
people who are interested. A version for Krb5 is also available,
as part of Ken's AFS-krb5 migration toolkit.
There's really not much documentation, but the idea is pretty simple:
On your AFS database servers, replace kaserver with ka-forwarder,
run as follows:
ka-forwarder kdc-host...
This accepts AFS authentication requests from the standard Transarc
clients, and passes them on to fakeka, which runs on the KDC. It
also receives the replies from fakeka, and forwards them back to
the clients.
On the KDC, you'll run an additional service, fakeka:
fakeka [-m] [-f forwarder...]
You need a '-f forwarder' for each machine which runs ka-forwarder,
so that fakeka can tell which machines are authorized forwarders.
Requests coming from machines other than authorized forwarders are
assumed to be direct from the client, so you don't need ka-forwarder
at all if your KDC runs on your database servers.
Pass the -m flag to fakeka if you provide it to the KDC; this is
used to control whether it prompts for the Kerberos master key
or reads it from a stash file.
The fakeka server supports only standard authentication using 'klog';
it does NOT provide a TGT that can be used for other services, and does
NOT support any of the admin or password-changin protocols. Also, as
shipped, both fakeka and ka-forwarder are quite verbose; you may want
to disable some of the logging.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
