Date: Tue, 08 Sep 92 14:29:30 CDT
From: "Doug Engert" <[EMAIL PROTECTED]>
Rich,
We are installing AFS 3.2 and would like to use MIT Kerberos V4.
Our Transarc PSR, Marybeth Schultz, referred me to you.
The AFS 3.2 Release Notes on page 53 talks about "13.1 Increased
Support of Kerberos Authentication", and has a klog.krb program
which sounds like it works with the MIT Kerberos server.
I do not have a copy of the AFS 3.2 Release Notes; they disappeared from
the Transarc cell before I had a chance to read them, so I do not know
what information they contain. (I am currently contacting my PSR about
that.)
I have a write up with a program called
asetkey which takes the svrtab file and extracts an AFS key.
I did all of that, and shutdown the kaserver, and started the
kerberos and kadmin servers. I then use the klog.krb program. It
complains that the kaserver is not running.
The kaserver supports Kerberos-style requests, but its primary mode of
operation with AFS clients is a special-style, using Rx. I suspect that
klog.krb makes use of the rx connection to the kaservers, rather than
the MIT-style Kerberos UDP "connection".
I also heard that there is an aklog? program? Does it do what the
klog.krb program does?
"aklog" is a program that we wrote that gets an "afs" ticket once you
already have a Kerberos TGT, and stuffs that ticket into the client
cache manager (in the AFS token format). The current source can be
found in: /afs/athena.mit.edu/astaff/project/afsdev/src/athena/aklog/*
I am assuming that the steps needed to use Kerberos in place of
the Kaserver are:
o Don't run kaserver, at all
o Run kerberos on all the AFS database servers
o Run the kadmin process on one of them
o Have the krb.conf file point to the database servers
o Use the MIT kpasswd and kadmin programs
o Run the asetkey program to copy key from Kerberos to afs
KeyFile
o Use the AFS 3.2 klog.krb program on AFS machines, and kinit
when AFS is not being used.
At Athena, we have the Kerberos server running on:
kerberos.mit.edu admin
kerberos-1.mit.edu
kerberos-2.mit.edu
The AFS database servers are entirely separate. There is nothing
requiring that the Kerberos service must be provided from the same
machines as those providing the other AFS databases. The only utilities
that expect them to be the same are the Transarc utilities for acquiring
keys/tokens/etc. If you are using the MIT-style login or kinit, then
there is no such restriction. I have been considering extending "aklog"
to include the ability to simply prompt for the user's password if no
TGT is found, but have not yet gotten around to implementing that.
The reason we run our Kerberos servers separately is for several
reasons:
o We had an already established set of servers and a large database.
o We don't want our Kerberos servers providing any other services or
protocols through which security might be lessened.
-Richard
