Kerberos 5-to-4 ticket conversion (aklog with Heimdal?)

Fri May 25 01:13:42 CEST 2001

"Economou, Matthew [EESUS]" <MEconom at EESUS.JNJ.com> writes:
> I am trying to get Kerberos 5-to-4 ticket conversion working with
> NetBSD/i386 1.5, kth-krb4-1.0.1, and arla-0.34.5.  The AFS server is
> running OpenAFS 1.0.4 and krb524d (from MIT Kerberos V 1.2.2).  The
> KDC is Windows 2000.
> 
> With OpenAFS and Kerberos 5, one must use "aklog" with the krb524
> service to convert one's Kerberos 5 tickets in to AFS tokens.  aklog
> does this by obtaining a V5 service ticket from the TGS (afs at REALM or
> afs/cell at REALM) and sending it to the krb524 daemon for conversion
> into a V4 ticket.  When one doesn't have 5-to-4 support in their KDC
> (as is the case with Active Directory and most commercial DCE
> implementations), krb524d can be configured to read the unencrypted V5
> ticket from the keytab.

Storing the key of the krbtgt service in a keytab on the machine
running krb524d?

> There is a bit of a hack to my configuration.  I don't have a version
> of krb524d that runs on Windows.  To get aklog to find krb524d, I have
> the Unix server it runs on listed as a KDC.  (One of these days I'm
> going to get a UDP proxy working on the Windows server and be done
> with the hack.)

(There's a program called krb-forward
(ftp://ftp.stacken.kth.se/pub/projekts/krb-forward) that Love wrote
that should be able to handle as a proxy for you.

Do you forward v5 packets fro your Unix server to the Windows KDC also?

> Supposedly, Heimdal, KTH-KRB, and Arla provide functionality similar
> to aklog.  The "kinit", "kauth", and "afslog" programs included with
> Heimdal (in the base installation) and KTH-KRB (from the ports
> collection) should handle conversion from Kerberos 5 to Kerberos 4.  I
> haven't been able to get this conversion to work.  In fact, afslog
> doesn't seem to be able to obtain V5 AFS service tickets, even though
> Kerberos authentication against a Windows 2000 KDC is fairly straight
> forward.

Let me try to straighten things out here:

kth-krb's kauth/afslog obtain a v4 ticket with the v4 protocol and
then install the token.

heimdal's kauth/afslog use the 524 protocol to obtain the ticket

Arla provides

klog (which is provided to be command-line compatible with Transarc's
klog) that actually uses the same mechanisms as krb4's kauth/afslog

aklog works as krb4's kauth/afslog

kalog uses the KA protocol for getting tickets/tokens

It sounds to me that you would wantto use heimdal's programs.  As to
why that doesn't work, I would need some more details on how it fails
to diagnose that for you.

> Has anyone been able to get this particular combination of client
> software to work?
> 
> Has anyone successfully replaced Heimdal with MIT Kerberos on NetBSD?

I don't see why this would fail.  configure && make should DTRT.

> Would aklog work with Arla?  (It won't build against Heimdal because
> Heimdal lacks the krb524 library.)

I don't see why aklog wouldn't work.  It should use the same pioctl
syscall to install the token.  What 524 functions are you missing?
krb524_convert_creds_kdc is in Heimdal's libkrb5.

/assar

> -----Original Message-----
> From: Love [mailto:lha at stacken.kth.se]
> Sent: Thursday, April 26, 2001 11:09 PM
> To: Economou, Matthew [EESUS]
> Cc: 'arla-drinkers at stacken.kth.se'
> Subject: Re: Arla and Kerberos V?
> 
> 
> "Economou, Matthew [EESUS]" <MEconom at EESUS.JNJ.com> writes:
> 
> > How do I convert Kerberos V tickets ("afs/cell at REALM") into tokens
> > usable by Arla?  The client system is NetBSD 1.5 (which bundled
> > Heimdal), with the kth-krb4 and arla packages installed.
> 
> You can try kinit --afslog, it works with my NetBSD-1.5U box.
> 
> I hacked together that explains the situations and the history of the tools
> at: <http://www.stacken.kth.se/project/arla/html/arla.html#SEC36>