Windows with Krb5
Kevin Rowland
krowland@nd.edu
Tue, 24 Apr 2001 08:55:42 -0500
The NT client doesn't use fakeka for it's authentication. It uses
udp/750 (standard K4). Because of that, the first enctype that is stored
in the KDC for a user is the one that will be used (I think). What we
did was make sure the our kdc.conf listed the 'des-cbc-crc:afs3' enctype
first. This seemed to satisfy the NT clients. UMICH has made some
modifications to the K4 libraries to make them act more like a kaServer,
but since we have no K4 salted keys (only afs3 style) besides the K5
keys in the KDC, we just ordered them with afs3 at the top.
Question: Does anyone see that as being a problem? So far everything
seems fine in our testing. Since K5 allows for the client to specify
which enctype it supports, the issue seemed to only affect K4 style
authentications...
-- kevin
/-------------------------------------------------------------------\
| Kevin Rowland Phone: (219)631-4745 |
| Sr. Systems Engineer Email: krowland@nd.edu |
| Office of Information Technology G208 Hesburgh Library |
| University of Notre Dame Notre Dame, IN 46556 |
\-------------------------------------------------------------------/
Elmar Abeln wrote:
>
> Has anyone successfully used the Windows AFS client in an AFS cell with Ken
> Hornstein's NRL AFS-Kerberos5 migration kit (which allow you to run a
> normal Krb5 server, storing afs3, krb5, and krb4 keys)? We've successfully
> used it with unix clients (using aklog to obtain AFS tokens from krb5
> tickets) and have preserved the ability for users from foreign cells to
> authenticate to our servers by running "fakeka", which decodes just enough
> of the RX packet to forward the authentication request to the krb5 server.
> So far so good... but the Windows AFS client has looked more attractive to
> us lately and we cannot get it to work with our modified setup...
>
> I can browse AFS filespace unauthenticated just fine. I can
> successfully obtain tokens for an unmodified AFS.
>
> But authenticating to the KDC Server i got at first the error
> The AFS Client was unable to obtain tokens as x30 in cell urz.uni-heidelberg.de
> Error: 37 (unknown authentication error 37).
>
> This was an result of bad skewed times on Win and Kdc-Server (sol 7)
> But after correctin this problem i got an expired token (!) with
> expiration time 11:41:00 12/12/17 (!!!).
> Has anyone an idea ?
>
> Thank for help.
>
> Elmar
>
> ------------------------------------------------------------------------
> Dr. Elmar Abeln email: Elmar.Abeln@URZ.Uni-Heidelberg.DE
> Universitaetsrechenzentrum
> Im Neuenheimer Feld 293 phone: +49 (6221) 54 4513
> D 69120 Heidelberg fax: +49 (6221) 54 5581
> ---------------------------------------------------------------------------