Re: [OpenAFS] Kerberos4 needed for windows logon?

Sun, 03 Oct 2010 07:30:41 -0700 

The Windows OpenAFS client does not support the rx based kaserver
protocol.  It only supports the Kerberos v4 protocol which was also
supported by kaserver.  For Kerberos v5 support, the users must install
a Kerberos v5 implementation.  The only one supported at present is MIT
Kerberos for Windows.  Heimdal support will be available shortly.

Jeffrey Altman


On 8/29/2010 12:36 PM, Bo Nygaard Bai wrote:
> I have recently migrated our old AFS cell from kaserver to Heimdal with
> kaserver emulation. Yes, I know! This was probably the last cell to do
> this.
> 
> Basically i did this:
> 
>  * Make a copy of the kaservers database
>  * Import the database into Heimdal (using hprop | hpropd from the FAQ)
>  * Install Heimdal slave KDCs on all AFS database servers
>  * Enable kaserver emulation on the Heimdal slave KDCs
> 
> This works perfectly for all our Unix variants. But existing Windows
> clients could not authenticate unless I enable kerberos 4 support and
> diable preauthentication for all users.
> 
> Heimdal log from Unix klog:
> Aug 29 18:27:05 afsdb1 kdc[12185]: AS-REQ (kaserver)
> esbens...@ies.auc.dk from IPv4:130.225.51.24 for
> krbtgt.ies.auc...@ies.auc.dk
> Aug 29 18:27:05 afsdb1 kdc[12185]: Lookup esben...@ies.auc.dk succeeded
> Aug 29 18:27:05 afsdb1 kdc[12185]: Lookup krbtgt/ies.auc...@ies.auc.dk
> succeeded
> Aug 29 18:27:05 afsdb1 kdc[12185]: sending 172 bytes to IPv4:130.225.51.24
> 
> Heimdal log from Windows OpenAFS klient:
> Aug 29 18:32:18 afsdb3 kdc[6647]: AS-REQ (krb4) b...@ies.auc.dk from
> IPv4:172.29.18.172 for a...@ies.auc.dk
> Aug 29 18:32:18 afsdb3 kdc[6647]: Lookup b...@ies.auc.dk succeeded
> Aug 29 18:32:18 afsdb3 kdc[6647]: Lookup a...@ies.auc.dk succeeded
> Aug 29 18:32:18 afsdb3 kdc[6647]: sending 102 bytes to IPv4:172.29.18.172
> 
> It feels like a step backwards on security from using the kaserver.
> 
> Does the openafs client for Windows only work with kerberos4?
> 
> Do I really need to diable preauthentication until all clients have
> switched to use the MIT tools?
> 
> /Bo Bai
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to