afs-krb5 integration

Sam Hartman hartmans at MIT.EDU
Thu Oct 17 16:31:20 EDT 2002 

>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

    >> i have strange problems in integrating openafs into krb5.  I
    >> use openafs 1.2.7 and kerberos 1.2.6 for the slave-server and
    >> 1.2.4 for the kerberos master/admin server.  I checked
    >> everything with these key-versions (thanks to Derek on the
    >> openafs mailing lis), but it did not help.  I always get
    >> "ticket contained unknown key version number"

    Ken> At the end of the day, there is a ticket in a Keyfile that
    Ken> does not agree with the service ticket stored in your KDC.
    Ken> This is the ONLY possible cause of this error (at least, the
    Ken> only one I've ever seen).


Except that your info is out of date.  Quoting the 1.2.6 README:

* krb524d will now, by default, convert krb5 tickets for afs service
  princpals to special tokens that are actually just the EncryptedData
  part of a krb5 Ticket structure.  This may be overridden; please
  consult src/krb524/README for details.

And quoting that readme:

Krb524 AFS Conversion
---------------------

An alternate conversion is provided for AFS servers that support the
encrypted part of a krb5 ticket as an AFS token.  If the krb524d is
converting a principal whose first component is afs and if the
encrypted part of the ticket fits in 344 bytes, then it will default
to simply returning the encrypted part of the ticket as a token.  If
it turns out that the AFS server does not support the ticket, then
users will get an unknown key version error and the krb524d must be
configured to use v4 tickets for this AFS service.

The krb524d looks in the appdefaults  section of krb5.conf for an
application called afs_krb5 to determine whether  afs principals
support encrypted ticket parts as tokens.  The following configuration
fragment says that afs/sipb.mit.edu at ATHENA.MIT.EDU supports the new
token format but afs at ATHENA.MIT.EDU and
afs/athena.mit.edu at ATHENA.MIT.EDU do not.  Note that the default is to
assume afs servers support the new format.

[appdefaults]
afs_krb5 = { 
	ATHENA.MIT.EDU = {
		# This stanza describes principals in the
		#ATHENA.MIT.EDU realm
		afs = false
		afs/athena.mit.edu = false
		afs/sipb.mit.edu = true
	}
}

More information about the Kerberos mailing list