Jeffrey Hutzelman wrote:
>
> On 06/03/00 16:08:19 -0700 sysgod <[EMAIL PROTECTED]> wrote:
>
> > Almost a year ago Transarc/IBM said they were about 95% done with
> > putting Kerberos V into AFS. Anybody know what's up with that?
> > Apparently the guy that was working on it left the company. Too bad, we
> > were hoping that would be real by now...
>
> The person who was working on that project did leave Transarc some time
> ago. I've heard claims that someone else was going to pick up the project,
> but I haven't actually seen or heard of someone doing it. At this point, I
> suspect that krb5 support is pretty low priority, and I don't expect to see
> it anytime soon.
>From talking to IBM a few weeks ago on this subject, it does appear that
it is low priority.
When they announced at Decourm 99 that they were going to do K5, and use
anyone's KDC, it looked like a fantastic marketing plan! For example, it looked
like they were going to allow you to use a W2K Domain controller as your
KDC. This would have really given them the "Enterprise File System"
as you could have AFS on W2K, and Unix and not need to run a seperate KDC.
But somewhere along the way, they lost sight of this.
But if enough of us complain, maybe they will reconsider.
>
> Unfortunately, extending rxkad to support Kerberos V and strong enough
> encryption to make it worthwhile is not an easy task -- especially if you
> are trying to maintain backwards compatibility within the existing
> authentication exchange.
At one time, Transarc offered a AFS to DFS migration kit. One of the features
was the translator, which acted lie an AFS server, but accessed DFS used the
encrypted part of the K5 ticket as the token. So the AFS cache manager, should
already have some of the K5 code as you would do this in the aklog:
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
Its just the AFS servers which would need to look at the token differently.
> Fortunately, you don't need AFS to support
> Kerberos V in order to use it with a Kerberos V KDC. Most of the major
> KDC's support V4 authentication and even password changing, and the MIT
> distribution includes a 'krb524' translation service which turns V5 tickets
> into the equivalent V4 tickets.
>
For example, the DCE security servers don't support K4 compatability,
so we have been using the the krb524 with a modified aklog, which
will do the conversion to a K4 ticket. This can be found at
ftp://achilles.ctd.anl.gov/pub/kerberos.v5.
along with mods for krb5-1.1.1 and the krb524 to allow the
krb524d to use a keytab file and the AFS KeyFile, so different keys can be used
with the K5 and K4 tickets. (See the README.txt, ak5log.000606.tar,
k5111.cdiffp.000504 files.)
> If you're an existing AFS site considering moving to Kerberos V, you should
> check out Ken Hornstein's afs-krb5 migration toolkit. It includes a number
> of utilities and patches to make life easier for sites running AFS with a
> Kerberos V KDC.
>
> -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
