Jason Edgecombe wrote: > Jeff Blaine wrote: >> Something I've never been very clear on as part of the >> conversion to Kerberos 5: The whole asetkey and afs >> principal operation. >> >> Could anyone explain what is going on there in detail >> for my (and everyone's) understanding/documentation? > Hi Jeff, > > Here is my (possibly flawed) understanding of the background: > > The [EMAIL PROTECTED] kerberos principle is the crypto key that all AFS > servers > use to talk to once another. A client authenticates to kerberos and then > runs aklog to get a ticket for the AFS service. It does this by having > the asking the KDC for the afs/[EMAIL PROTECTED], then [EMAIL PROTECTED] > service > principals using whichever is found first. > > The key for the afs/[EMAIL PROTECTED] principal or [EMAIL PROTECTED] > principal is used > by all AFS servers and resides in the Keyfile. The asetkey command takes > the kerberos keytab for the kerberos afs principal and stores it in the > Keyfile in a format that the AFS server understands. > > Someone please correct me if I'm wrong. > > Jason
Jason: You got it right. The language is just a bit off. afs/[EMAIL PROTECTED] (or [EMAIL PROTECTED] which using the older convention) is the Kerberos v5 service principal for the AFS cell. The key assigned to that principal must be single DES. You create the key in the KDC database and then export it to a Kerberos v5 keytab file (as you would for any Kerberos v5 authenticated service.) AFS servers do not understand the Kerberos v5 keytab format. Instead they have their own equivalent, the KeyFile. asetkey copies the an entry out of a Kerberos v5 keytab and stores it into the AFS KeyFile. The key in the AFS KeyFile is used for authentication between the AFS clients and the AFS Servers and is also used for authenticated communication between the servers themselves. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
