Is this too big of a change?

Douglas E. Engert deengert at anl.gov
Mon Aug 26 15:25:18 EDT 2002 

Sam Hartman wrote:
> 
> >>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> 
> 
> Yes, you can.  However you may end up issuing v4 tickets rather than
> the new style AFS tokens because the new style tokens are only issued
> if the token is shorter than 344 bytes (current max token size in
> OpenAFS) which is unlikely if your tickets contain w2k authorization
> data.  However, the AFS server will hapilly still accept v4 tokens so
> all will continue to work.

The 344 byte limit, sort shoots down the use of the -dfs flag we had
in the ak5log, if the ticket was from W2K. 

But if you are using the krb524d to in effect convert a k5 
ticket to a k5 ticket, for use only by AFS, do you need to copy all
data?  You could leave out the w2k authorization data, as AFS will not
use it. 

In this case you could look at the krb524d as being the authentication
service to AFS. What is in a token after that is only needed by the AFS 
servers.  

Something else we have been doing is to use two keys, one for the principal
shared between the KDC and krb524d, and another shared between the krb524d 
and afs servers. This allows them to have different kvno, and different enctypes
The krb524d basically has access to the AFS keyfile. But this would not be true
if you eventually want to get to the point where the KDC is issuing the 
AFS token. 

This brings up the question, does the AFS token has to be a K5 ticket,
or just something which could take advantage the improved encryption andtimestamps
in k5?
 

 

 
 
 
   

> 
>     Douglas> As AFS starts to use K5, what are the relationships of
>     Douglas> the AFS cell name and the Kerberos realm name? Hopefully
>     Douglas> they are seperate. Where the principal used are something
>     Douglas> like afs/<afscell>@<krb5realm> With no assumptions about
>     Douglas> the afs cell matching the realm. This should also mean
>     Douglas> that the afsservers should be able to use principals from
>     Douglas> multiple realms.
> 
> Certainly this is true of the current k5 plan.  Naming gets much more
> complex for RXGSS and you should follow those discussions when they
> happen (I'm not particularly involved in anything to do with RXGSS so
> I don't really know the state).

Yes, If you are going to support GSS, I would like to make sure it works
with the GSI too.


-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list