Kerberos 5-to-4 ticket conversion (aklog with Heimdal?)

Neulinger, Nathan nneul at umr.edu
Thu May 24 15:09:37 CEST 2001 

aklog works with arla... also, if you build against the devel snapshots of
krb5 - they have support for defining a krb524_server in the krb5.conf file,
or using SRV records in DNS.
 
-- Nathan

-----Original Message-----
From: Economou, Matthew [EESUS] [mailto:MEconom at EESUS.JNJ.com]
Sent: Wednesday, May 23, 2001 12:29 PM
To: 'arla-drinkers at stacken.kth.se'
Subject: Kerberos 5-to-4 ticket conversion (aklog with Heimdal?)



I am trying to get Kerberos 5-to-4 ticket conversion working with 
NetBSD/i386 1.5, kth-krb4-1.0.1, and arla-0.34.5.  The AFS server is 
running OpenAFS 1.0.4 and krb524d (from MIT Kerberos V 1.2.2).  The 
KDC is Windows 2000. 

With OpenAFS and Kerberos 5, one must use "aklog" with the krb524 
service to convert one's Kerberos 5 tickets in to AFS tokens.  aklog 
does this by obtaining a V5 service ticket from the TGS (afs at REALM or 
afs/cell at REALM) and sending it to the krb524 daemon for conversion 
into a V4 ticket.  When one doesn't have 5-to-4 support in their KDC 
(as is the case with Active Directory and most commercial DCE 
implementations), krb524d can be configured to read the unencrypted V5 
ticket from the keytab.  aklog then inserts the V4 ticket into the 
kernel, and the AFS client uses that ticket to mutually authenticate 
with the AFS server(s). 

There is a bit of a hack to my configuration.  I don't have a version 
of krb524d that runs on Windows.  To get aklog to find krb524d, I have 
the Unix server it runs on listed as a KDC.  (One of these days I'm 
going to get a UDP proxy working on the Windows server and be done 
with the hack.) 

Supposedly, Heimdal, KTH-KRB, and Arla provide functionality similar 
to aklog.  The "kinit", "kauth", and "afslog" programs included with 
Heimdal (in the base installation) and KTH-KRB (from the ports 
collection) should handle conversion from Kerberos 5 to Kerberos 4.  I 
haven't been able to get this conversion to work.  In fact, afslog 
doesn't seem to be able to obtain V5 AFS service tickets, even though 
Kerberos authentication against a Windows 2000 KDC is fairly straight 
forward. 

Has anyone been able to get this particular combination of client 
software to work? 

Has anyone successfully replaced Heimdal with MIT Kerberos on NetBSD? 

Would aklog work with Arla?  (It won't build against Heimdal because 
Heimdal lacks the krb524 library.) 

-----Original Message----- 
From: Love [ mailto:lha at stacken.kth.se <mailto:lha at stacken.kth.se> ] 
Sent: Thursday, April 26, 2001 11:09 PM 
To: Economou, Matthew [EESUS] 
Cc: 'arla-drinkers at stacken.kth.se' 
Subject: Re: Arla and Kerberos V? 


"Economou, Matthew [EESUS]" <MEconom at EESUS.JNJ.com> writes: 

> How do I convert Kerberos V tickets ("afs/cell at REALM") into tokens 
> usable by Arla?  The client system is NetBSD 1.5 (which bundled 
> Heimdal), with the kth-krb4 and arla packages installed. 

You can try kinit --afslog, it works with my NetBSD-1.5U box. 

I hacked together that explains the situations and the history of the tools
at: < http://www.stacken.kth.se/project/arla/html/arla.html#SEC36
<http://www.stacken.kth.se/project/arla/html/arla.html#SEC36> >

More information about the Arla-drinkers mailing list