[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal versus Krb4 versus AFS

On Thu, 18 Sep 2003, Love wrote:

> Martin MOKREJ? <mmokrejs@natur.cuni.cz> writes:
> > Please release it. OpenSSH-3.7.1p1 nor 3.6.1p2 works neither with
> > heimdal nor krb4. Actually, OpenSSH-3.7.1p1 does not have the krb4 code at
> > all, but the krb5 code does not work for me. Unfortunately, also 3.6.1p2
> > doe snot run with heimdal/krb4 for me.
> >
> > I'm curious how is openssh-3.7.1p1 supposed to work with AFS, when there's
> > not krb4 support. Can you explain me that?
> what afs support are you talking about, ssh token forwarding or something

Sorry, I'm not much expert in this, but yes, I think I meant token
forwarding, but mainly should say krb4 support as I thought it is
*required* in AFS autentication.

> else? heimdal have a libkafs that supports AFS without krb4, ie working
> there is a working afslog.

OK, so I turn off all the kerberos4 related variables in krb5.conf,
compile heimdal with kaserver emulation and user autentication to AFS will
still work?

  So I'd remove:

        v4_instance_resolve = true
        krb4_get_tickets = yes
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                plain = {
                        something = something-else

                krb525_server = calomys.gsf.de
                v4_name_convert = {
                        ftp = ftp
                        pop = pop
                        rcmd = host
                v4_instance_convert = true

        enable-kerberos4 = true
        enable-524 = true
        v4-realm = GSF.DE
        enable-kaserver = true

How should I proceed with:

kdc =
dns_lookup_realm = false
dns_lookup_kdc = false
#default_keys = v4 v5 afs3
#default_keys = v4 afs3
default_keys = des:pw-salt v4
#supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
default_etypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:
default_etypes_des = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
afs-cell = gsf.de
v4-realm = GSF.DE

How should I set `default_keys', `default_etypes' and `default_etypes_des'.
Should I regenerate /etc/krb5.keytab on machines?

I imagine in that scenario users will have only krb5 tickets,
there won't be /etc/srvtab etc. However, /usr/vice/etc/UserList will still
contain principal names in krb4 format with dot ...

> > So how does heimdal support AFS? What are those neccessary configure flags
> > and krb5.conf entries?
> There are not flags, you can't turn it off.

Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585