The exact clarity of explanation I was looking for.
For some reason my ignorance of the keytab format
compatibility issue was making things pretty muddled.
I was sure something more special was going on.
Thanks all.
Jeffrey Altman wrote:
Jason Edgecombe wrote:
Jeff Blaine wrote:
Something I've never been very clear on as part of the
conversion to Kerberos 5: The whole asetkey and afs
principal operation.
Could anyone explain what is going on there in detail
for my (and everyone's) understanding/documentation?
Hi Jeff,
Here is my (possibly flawed) understanding of the background:
The [EMAIL PROTECTED] kerberos principle is the crypto key that all AFS servers
use to talk to once another. A client authenticates to kerberos and then
runs aklog to get a ticket for the AFS service. It does this by having
the asking the KDC for the afs/[EMAIL PROTECTED], then [EMAIL PROTECTED] service
principals using whichever is found first.
The key for the afs/[EMAIL PROTECTED] principal or [EMAIL PROTECTED] principal
is used
by all AFS servers and resides in the Keyfile. The asetkey command takes
the kerberos keytab for the kerberos afs principal and stores it in the
Keyfile in a format that the AFS server understands.
Someone please correct me if I'm wrong.
Jason
Jason:
You got it right. The language is just a bit off.
afs/[EMAIL PROTECTED] (or [EMAIL PROTECTED] which using the older convention) is
the Kerberos v5 service principal for the AFS cell. The key assigned to
that principal must be single DES. You create the key in the KDC
database and then export it to a Kerberos v5 keytab file (as you would
for any Kerberos v5 authenticated service.) AFS servers do not
understand the Kerberos v5 keytab format. Instead they have their own
equivalent, the KeyFile. asetkey copies the an entry out of a Kerberos
v5 keytab and stores it into the AFS KeyFile.
The key in the AFS KeyFile is used for authentication between the AFS
clients and the AFS Servers and is also used for authenticated
communication between the servers themselves.
Jeffrey Altman
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
