[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AFS Keyfile Problem




Pär Ekstrand <pe@mech.kth.se> writes:

> Hi,
>
> I'm trying to setup a Heimdal real and an OpenAFS cell
> on a Debian Woody computer.

I don't know what you tested and can't remeber if I pulled up the info text
to the 0.6 branch, so I just send it here:

Love



Making things work on Transarc/OpenAFS AFS
==========================================

How to get a KeyFile
--------------------

`ktutil -k AFSKEYFILE:KeyFile get afs@MY.REALM'

or you can extract it with kadmin

     kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@My.CELL.NAME

You have to make sure you have a `des-cbc-md5' encryption type since
that is the key that will be converted.

How to convert a srvtab to a KeyFile
------------------------------------

You need a `/usr/vice/etc/ThisCell' containing the cellname of you
AFS-cell.

`ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile'.

If keyfile already exists, this will add the new key in afs-srvtab to
KeyFile.

Using 2b tokens with AFS
========================

What is 2b ?
------------

2b is the name of the proposal that was implemented to give basic
Kerberos 5 support to AFS in rxkad. Its not real Kerberos 5 support
since it still uses fcrypt for data encryption and not Kerberos
encryption types.

Its only possible (in all cases) to do this for DES encryption types
because only then the token (the AFS equivalent of a ticket) will be be
smaller than the maximum size that can fit in the token cache in
OpenAFS/Transarc client. Its so tight fit that some extra wrapping on
the ASN1/DER encoding is removed from the Kerberos ticket.

2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for
the part of the ticket that is encrypted with the service's key. The
client doesn't know what's inside the encrypted data so to the client
it doesn't matter.

To  differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b
uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens.

Its a requirement that all AFS servers that support 2b also support
native Kerberos 5 in rxkad.

Configuring Heimdal to use 2b tokens
------------------------------------

Support for 2b tokens are turned on for specific principals by adding
them to the string list option `[kdc]use_2b' in the kdc's `krb5.conf'
file.

     [kdc]
     	use_2b = {
     		afs@SU.SE = yes
     		afs/it.su.se@SU.SE = yes
     	}

Configuring AFS clients
-----------------------

There is no need to configure AFS clients. The only software that needs
to be installed/upgrade is a Kerberos 5 enabled `afslog'.

PGP signature