Kerberos 5-to-4 ticket conversion (aklog with Heimdal?)
Economou, Matthew [EESUS]
MEconom at EESUS.JNJ.com
Thu May 24 08:01:10 CEST 2001
I am trying to get Kerberos 5-to-4 ticket conversion working with
NetBSD/i386 1.5, kth-krb4-1.0.1, and arla-0.34.5. The AFS server is
running OpenAFS 1.0.4 and krb524d (from MIT Kerberos V 1.2.2). The
KDC is Windows 2000.
With OpenAFS and Kerberos 5, one must use "aklog" with the krb524
service to convert one's Kerberos 5 tickets in to AFS tokens. aklog
does this by obtaining a V5 service ticket from the TGS (afs at REALM or
afs/cell at REALM) and sending it to the krb524 daemon for conversion
into a V4 ticket. When one doesn't have 5-to-4 support in their KDC
(as is the case with Active Directory and most commercial DCE
implementations), krb524d can be configured to read the unencrypted V5
ticket from the keytab. aklog then inserts the V4 ticket into the
kernel, and the AFS client uses that ticket to mutually authenticate
with the AFS server(s).
There is a bit of a hack to my configuration. I don't have a version
of krb524d that runs on Windows. To get aklog to find krb524d, I have
the Unix server it runs on listed as a KDC. (One of these days I'm
going to get a UDP proxy working on the Windows server and be done
with the hack.)
Supposedly, Heimdal, KTH-KRB, and Arla provide functionality similar
to aklog. The "kinit", "kauth", and "afslog" programs included with
Heimdal (in the base installation) and KTH-KRB (from the ports
collection) should handle conversion from Kerberos 5 to Kerberos 4. I
haven't been able to get this conversion to work. In fact, afslog
doesn't seem to be able to obtain V5 AFS service tickets, even though
Kerberos authentication against a Windows 2000 KDC is fairly straight
forward.
Has anyone been able to get this particular combination of client
software to work?
Has anyone successfully replaced Heimdal with MIT Kerberos on NetBSD?
Would aklog work with Arla? (It won't build against Heimdal because
Heimdal lacks the krb524 library.)
-----Original Message-----
From: Love [mailto:lha at stacken.kth.se]
Sent: Thursday, April 26, 2001 11:09 PM
To: Economou, Matthew [EESUS]
Cc: 'arla-drinkers at stacken.kth.se'
Subject: Re: Arla and Kerberos V?
"Economou, Matthew [EESUS]" <MEconom at EESUS.JNJ.com> writes:
> How do I convert Kerberos V tickets ("afs/cell at REALM") into tokens
> usable by Arla? The client system is NetBSD 1.5 (which bundled
> Heimdal), with the kth-krb4 and arla packages installed.
You can try kinit --afslog, it works with my NetBSD-1.5U box.
I hacked together that explains the situations and the history of the tools at: <http://www.stacken.kth.se/project/arla/html/arla.html#SEC36>
More information about the Arla-drinkers
mailing list