> From: Lawrence C Mc Abee <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Date: Fri, 08 Apr 1994 13:58:41 -0400
> Subject: AFS use of kerberos
> Message-Id: <[EMAIL PROTECTED]>
>
>
>
> Is there any documentation on the ways AFS uses kerberos on
> the system call level ? As in, what changes AFS has made to the
> kerberos system ?
>
> The reason I ask is I have some stuff that has been ported
> to kerberos 4, and I wish to use it on AFS. I'd like a guide to
> make it easier to get this stuff up and running.
>
> Email anything , and thanks,
>
> Lawrence C. Mc Abee.
>
> --
> Lawrence C. Mc Abee
> Engineering Computing, Computing Services Department, NJIT
> [EMAIL PROTECTED]
>
MIT kerberos doesn't provide any system calls, merely library
calls, utilities, daemons, & packet formats.
AFS kerberos does have some significant differences & enhancements.
You probably don't care about most of them. Here's what
you will need to know:
When logging in, you will need a ticket file. That's the
"-t" option to klog. You may also/instead need the right version
of login to make this happen. The AFS token is just a ticket for
"afs", not a krbtgt, so you can't use it for anything else
(and unless you can use a ticket for afs, you therefore
won't care about the system call interface to the cache
manager in the kernel, or the token stash that's kept there.)
It doesn't look like transarc distributes a "libkrb.a" (although
I could be wrong.) You will almost certainly prefer to use libkrb.a,
to porting your application to RX. So you'll need to get a copy of
MIT kerberos and compile lib/krb from that.
If your application asks for a password, it will need to
know that the StringToKey function is different than in
MIT kerberos. If your application does not use passwords,
the difference will not matter, a key is a key, and
a ticket is a ticket.
The "libdes.a" supplied by transarc may be almost suitable.
The "des_string_to_key" function appears to be the
MIT algorithm, so be careful you don't use it. You need
to instead call "ka_StringToKey" on keys if you use the
transarc des library. Or, you can compile the MIT kerberos
version of lib/libdes and use that. There is an unencumbered
version of stringtokey floating around that is compatible with
the AFS string to key function.
The next concerns kaserver and udp packets. In 3.3, there
appear to be changes in kaserver that may fix these next
two anomalies:
If the kerberos server detects an error, it returns an
error packet, but there are some significant differences
in what the AFS kerberos server (kaserver) returns.
In the case of an "unknown user", it returns back an
apparently valid ticket with a credentials length of
0, not an error packet of KDC_PR_UNKNOWN.
In the case that your client had the wrong time, or various
other sorts of errors, kaserver will return an error
packet, as it should. It may, however, return an error
code of 0, which is wrong. This causes odd results to
the MIT library code; it returns back an "error 0", which
other layers interpret as meaning "success", with obviously
confusing results...
The MIT kerberos server provides a special TCP based service
to change the password. AFS kerberos does not support this.
The AFS kerberos server does support a 2nd mechanism to
get keys & otherwise talk to kaserver, which is based on RX
instead of just vanilla UDP. The RX mechanism is the only way
to change a password. In fact, all of the other administrative
functions of kaserver are also accessed via this mechanism,
so if you want to make an entry, delete it, or anything else,
it must be done this way.
Older versions of MIT kerberos stored lifetimes in an unsigned
byte in units of 5 minutes; maximum lifetime 1275 minutes, or 21
hours. Newer versions of MIT kerberos, and AFS kerberos, use
a lookup table for byte values greater than 127. The RX
interface to AFS kerberos actually allows even more arbitrary
lifetimes than this. If you want to deal correctly with
lifetimes, you will need the right lifetime function.
That's all you should need to know to port your application.
If you want to know more about AFS particulars such as setting
passwords or using tokens, you need to look through the various AFS-3
Programmer's Reference, and find documentation on:
File server/Cache Manger interface
describes tokens & their use
Specification for the RX remote procedure call facility
?? There's undoubtedly documentation on the ka rx
calls, but I can't find a copy.
-Marcus Watts
UM ITD RS Umich Systems Group
