[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal versus Krb4 versus AFS

To: Love <lha@stacken.kth.se>
Subject: Re: Heimdal versus Krb4 versus AFS
From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
Date: Thu, 18 Sep 2003 21:11:47 +0200 (CEST)
cc: krb4@sics.se, heimdal-discuss@sics.se
In-Reply-To: <am4qzadnqr.fsf@nutcracker.stacken.kth.se>
References: <Pine.OSF.4.51.0309041617460.382176@tao.natur.cuni.cz><xofoey01uwp.fsf@blubb.pdc.kth.se> <Pine.OSF.4.51.0309172341160.370291@tao.natur.cuni.cz><am4qzadnqr.fsf@nutcracker.stacken.kth.se>
Sender: owner-heimdal-discuss@sics.se

On Thu, 18 Sep 2003, Love wrote:

>
> Martin MOKREJ? <mmokrejs@natur.cuni.cz> writes:
>
> > Please release it. OpenSSH-3.7.1p1 nor 3.6.1p2 works neither with
> > heimdal nor krb4. Actually, OpenSSH-3.7.1p1 does not have the krb4 code at
> > all, but the krb5 code does not work for me. Unfortunately, also 3.6.1p2
> > doe snot run with heimdal/krb4 for me.
> >
> > I'm curious how is openssh-3.7.1p1 supposed to work with AFS, when there's
> > not krb4 support. Can you explain me that?
>
> what afs support are you talking about, ssh token forwarding or something

Sorry, I'm not much expert in this, but yes, I think I meant token
forwarding, but mainly should say krb4 support as I thought it is
*required* in AFS autentication.

> else? heimdal have a libkafs that supports AFS without krb4, ie working
> there is a working afslog.

OK, so I turn off all the kerberos4 related variables in krb5.conf,
compile heimdal with kaserver emulation and user autentication to AFS will
still work?

  So I'd remove:

[libdefaults]
        v4_instance_resolve = true
        krb4_get_tickets = yes
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }


[realms]
                krb525_server = calomys.gsf.de
                v4_name_convert = {
                        ftp = ftp
                        pop = pop
                        rcmd = host
                }
                v4_instance_convert = true

[kdc]
        enable-kerberos4 = true
        enable-524 = true
        v4-realm = GSF.DE
        enable-kaserver = true


How should I proceed with:

[kadmin]
kdc = 146.107.217.152
dns_lookup_realm = false
dns_lookup_kdc = false
#default_keys = v4 v5 afs3
#default_keys = v4 afs3
default_keys = des:pw-salt v4
#supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
default_etypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:
default_etypes_des = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
des-cbc-crc:
afs-cell = gsf.de
v4-realm = GSF.DE


How should I set `default_keys', `default_etypes' and `default_etypes_des'.
Should I regenerate /etc/krb5.keytab on machines?

I imagine in that scenario users will have only krb5 tickets,
there won't be /etc/srvtab etc. However, /usr/vice/etc/UserList will still
contain principal names in krb4 format with dot ...

> > So how does heimdal support AFS? What are those neccessary configure flags
> > and krb5.conf entries?
>
> There are not flags, you can't turn it off.

Good.
-- 
Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585

Follow-Ups:
- Re: Heimdal versus Krb4 versus AFS
  - From: Love <lha@stacken.kth.se>

References:
- Heimdal versus Krb4 versus AFS
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- Re: Heimdal versus Krb4 versus AFS
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: Incomplete documentation
Next by Date: Re: Incomplete documentation
Prev by thread: Re: Heimdal versus Krb4 versus AFS
Next by thread: Re: Heimdal versus Krb4 versus AFS
Index(es):
- Date
- Thread