First question, is WHERE IS TRANSARC/IBM!! At Decorum 99, Ben Cox gave a great
presentation
on converting AFS to use Kerberos 5. This sounded like a great marketing strategy,
in that it could allow AFS to eventually be the Distributed File System for
Win2000, and could use the Win2000 KDC, or some other K5 KDC.
I would be interested in where Transarc/IBM stood on this promised project.
Neulinger, Nathan R." wrote:
>
> I was thinking that using gssapi could be leveraged. At one point, I seem to
> recall reading/hearing/being told that with the win2k kerberos support,
> client code had ZERO access to the tickets themselves and that the only
> exported interface was SSPI.
>
An interesting item in this area, Martin Rex <[EMAIL PROTECTED]> is working
on a GSSAPI to run over SSPI. He has been promising to release it any day,
and has been talking to Microsoft who might add it as a sample program.
This could greatly simplify any program, especially if you understand GSSAPI already.
> What I was thinking is that you could create a pseudo-krb524d that was a
> gssapi service on the server, and have aklog authenticate to it including
> forwarded tickets, and then have it use the forwarded tickets somehow and
> convert them - i.e. the same way that gssapi ftpd works with aklog now. i.e.
> if windows won't let you get at the tickets, forward em somewhere else and
> let that service do the work.
>
That would be a rather simple program to write, and you don't need to
forward any ticket. The function of krb524d is to convert the K5 service ticket
to a k4 ticket. A GSSAPI interface would be rather easy to add.
> I don't know if this makes any sense, as my low-level knowledge of aklog is
> limited. If the 'SSPI only' bit is no longer the case, it won't be an issue.
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: [EMAIL PROTECTED]
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
>
> > -----Original Message-----
> > From: Ken Hornstein [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, March 17, 2000 9:14 AM
> > To: Nathan Neulinger
> > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: Re: Anyone working on a Win2k/GSSAPI/SSPI version of aklog?
> >
> >
> > >Obviously, isn't really needed just yet, as the client won't be
> > >available for a while, but would be nice to know if it's being
> > >considered. (That is, unless you happen to have inside information
> > >intimating that transarc is finally going to start supporting krb5
> > >directly. *crossing fingers*)
> >
> > I'm not sure how a GSS-API aklog would _work_. You're not
> > authenticating
> > _to_ anything ... you're getting a service ticket that you're cramming
> > into the kernel (after converting it to V4). How would you
> > use GSS-API
> > in that case?
> >
> > --Ken
> >
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
