KaServer -- AFS version of Kerberos V4

The klog command (and kpasswd too) try several StringToKey functions.

• klog -- authentication with KaServer by getting AFS service tickets and sending them to the (kernel) CacheManager^?. Can save the TGT in a file compatible with kinit (V4) as a non-default option.
• tokens -- displays AFS service tickets (tokens) held by the CacheManager^?.
• kpasswd -- change password in KaServer.
• kas -- administrative interface to KaServer
• inetd -- passes authentication information to network servers. See inetd . Avoid.
• r* commands -- passes authentication information between trusting hosts (over a secure network). See Remote Services. Avoid and thread. These are not built by default in OpenAFS unless --enable-insecure is specified.

KerberosIV^? -- MIT reference for V4

• kinit -- authenticates using standard UDP port 750. Also works with KaServer but doesn't get AFS service tickets (tokens).
• ktadd -- adds a new key/principal to KeyDistributionCenter^? (KDC) (or changes the key if it already exists?)

KerberosV -- MIT reference for V5

There are more types of StringToKey functions in V5.

CharlesClancy^? posted a Perl script that provides a kas interface to kadmin, so that existing scripts (and users) that use kas can easily work in a K5 environment.

DerekAtkins^? provides this handy mapping from KerberosVMIT to KaServer:

• kinit -- authenticates using standard UDP port 88. Works with DCE, HeimdalKTH and ActiveDirectory (maybe?).
• kpasswd -- change KDC password.
• klist -- displays contents of ticket cache.
• ktadmin
• ktadd -- add a principal
  ktadd -k /etc/krb5/keytab -e des-cbc-crc:v4 afs@CS.UMD.EDU
• ktremove -- removes a principal from the KDC
• kprop

KerberosDCE^? -- DCE version of V5

• kinit -- authenticates to DCE Security Server and also obtains authorization informaion (groups) from the DCE Privilege Server.
• chpass -- change password
• dcecp -- admin suite

HeimdalKTH -- International version of Kerberos V5

Here's some mail from DerrickBrashear for using HeimdalKTH for AFS authentication. An updated version of this document can be found here: file:/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt

The kas wrapper mentioned above maybe useful for Heimdal environments too.

• afslog
• ktutil -- for example to create a KeyFile for AFS servers you can use this sequence
  ktutil -k keytab.afs get afs@MY.REALM
ktutil copy FILE:keytab.afs AFSKEYFILE:/usr/vice/etc/KeyFile
  It can also convert from srvtab format.
• hprop -- initializes a database from KaServer (?)
• ipropd -- propagates KDC databases between master and slave servers?

ActiveDirectory -- Microsoft version of Kerberos V5

Other commands

• aklog -- converts V5 TGT to AFS service tickets and gives them to the CacheManager^?. Is this part of the standard MIT K5 distribution?
• ka-forwarder -- allows klog to work in V5 environments, not needed if you are willing to use kinit/aklog. This is a HeimdalKTH tool?
• asetkey -- converts a V5 keytab file containing the AFS service ticket key and stores it into a KeyFile which AFS servers understand.
• fakeka
• r* commands -- where to get safe kerberized versions?
• pts -- suite of commands for accessing the PtServer^? to manage AFS groups in all authentication environments.
• uss -- user creation tool. It is documented in the admin guide. It has some support for alternate authentication systems, but probably works best in KaServer environments.

See SettingUpAuthentication^?

-- TedAnderson - 23 Jan 2002 -- TedAnderson - 06 Feb 2002 -- TedAnderson - 07 Mar 2002