You are here: TWiki >  AFSLore Web > SettingUpAuthentication? > KerberosV |
r20 - 18 Aug 2005 - 22:21 - JohnBoyland? |
Start of topic | Skip to actions
Kerberos is a network authentication system which is available for Unix, Windows, Macintosh, and I'm sure lots of other platforms.
How does this relate to OpenAFS? OpenAFS uses Kerberos to perform strong authentication for clients connecting to the AFS filespace. If you're new to Kerberos, you should take a look at the Kerberos FAQ located at http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html. For the impatient, a quick list of useful Kerberos-related terms will be available at KerberosTerms.
Note that there are two versions of Kerberos in wide usage. The latest is KerberosV, but AFS, for historical reasons, uses a modified version of Kerberos 4 (see KaServer). However, AFS can be integrated into a KerberosV realm, and in fact is highly suggested for any new installations of AFS. See SettingUpAuthentication?.
Installing KerberosV along with OpenAFS will provide the basis for many other very cool features, such as a single repository for all authentication information for an administrative domain, integration with the Windows 2000/XP login mechanism, and even single-sign-on capability. Note that the further down you get in that list, the harder things become. 
The installation documentation on the OpenAFS web site unfortunately does not include any information on integrating AFS into a KerberosV realm. (Work on install document & gotchas page later)
To compile OpenAFS with KerberosV support you need to use the --with-krb5-conf=/path/to/krb5-config flag to configure.
If you're using KerberosVMIT versions 1.2.6 or later, you'll need to add a section to
krb5.conf on the krb524d host if you wish to continue using old-style KerberosIV? ticket derived tokens.
See HeimdalKTH, ActiveDirectory, KerberosDCE?, AuthCommands, SettingUpAuthentication?.
The installation documentation on the OpenAFS web site unfortunately does not include any information on integrating AFS into a KerberosV realm. (Work on install document & gotchas page later)
To compile OpenAFS with KerberosV support you need to use the --with-krb5-conf=/path/to/krb5-config flag to configure.
If you're using KerberosVMIT versions 1.2.6 or later, you'll need to add a section to
krb5.conf on the krb524d host if you wish to continue using old-style KerberosIV? ticket derived tokens.
[appdefaults]
afs_krb5 = {
REALM.NAME = {
afs = false
afs/cell.name = false
}
}
Where NAME and cell.name are the names of your KerberosRealm? and AFSCell? respectively.
If you already have a working AFS cell using KaServer, check out DerrickBrashear's document for converting from the KaServer to HeimdalKTH here:
file:/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt
For now a few links... explanations to follow later:
- Setting up OpenSSH? to use KerberosV authentication: you can either use PAM to authenticate people (boring) or you can add the patches at http://www.sxw.org.uk/computing/patches/openssh.html to use existing KerberosV tickets for single-sign-on and automatic ticket forwarding (interesting). Note that by default this patch won't grab tickets when logging in via password - post small patch to enable this later.
- If you're having trouble with KenHornstein's AFS-Kerberos5 migration kit available at ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/, see http://www.mathematik.uni-karlsruhe.de/~iwrmm/Persons/Schulz/Unix/afs/afs-krb5.html for tips. In particular check out the Makefile patches.
- DenizKanca? posted Kerberos 5 and OpenAFS - Notes available on 19-Jan-2003 saying
... I took some notes on what I did when I set up Kerberos 5 and OpenAFS. Please note that this was done on a Redhat 8.0 installation and Redhat specifics (rpm, directory names etc) are assumed throughout. http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html ...
- John Boyland has a patch for Ken Hornstein's AFS Migration Kit v 2.0 that fixes some typos and includes updates suggested by other OpenAFS contributors.
- An older AFS link page: http://www-2.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs.html
- PAM modules available for K5
- Admin differences between various K5 implementations
- krb524d -- which uses a K5 TGT to produce a V4 AFS service ticket which the CacheManager? needs. It does not need to run on the same machine as the KerberosV server but just needs access to the AFS principal's key. This is not needed for HeimdalKTH which implements V4 and V5 services, but is for MIT and ActiveDirectory.
- encryption types -- this is a per key property and V5 supports several (while V4 only supported one, namely what V5 calls des-cbc-crc). However, this is not the V5 default (which I think is des3) so you need to ensure that the AFS principal uses des-cbc-crc.
- StringToKey differences
Links
KerberosV version 1.3.1
Main Site -- TedAnderson - 22 Jan 2002 -- DerrickBrashear - 23 Jan 2002 -- TedAnderson - 23 Jan 2002 -- JasonGarman? - 30 Jan 2002 -- TedAnderson - 31 Jan 2002See HeimdalKTH, ActiveDirectory, KerberosDCE?, AuthCommands, SettingUpAuthentication?.
Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r20 < r19 < r18 < r17 < r16 | More topic actions
Copyright © 1999-2008 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback