Re: afs-krb5 integration

Thu, 17 Oct 2002 13:35:42 -0700 

>>>>> "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes:

    >> i have strange problems in integrating openafs into krb5.  I
    >> use openafs 1.2.7 and kerberos 1.2.6 for the slave-server and
    >> 1.2.4 for the kerberos master/admin server.  I checked
    >> everything with these key-versions (thanks to Derek on the
    >> openafs mailing lis), but it did not help.  I always get
    >> "ticket contained unknown key version number"

    Ken> At the end of the day, there is a ticket in a Keyfile that
    Ken> does not agree with the service ticket stored in your KDC.
    Ken> This is the ONLY possible cause of this error (at least, the
    Ken> only one I've ever seen).


Except that your info is out of date.  Quoting the 1.2.6 README:

* krb524d will now, by default, convert krb5 tickets for afs service
  princpals to special tokens that are actually just the EncryptedData
  part of a krb5 Ticket structure.  This may be overridden; please
  consult src/krb524/README for details.

And quoting that readme:

Krb524 AFS Conversion
---------------------

An alternate conversion is provided for AFS servers that support the
encrypted part of a krb5 ticket as an AFS token.  If the krb524d is
converting a principal whose first component is afs and if the
encrypted part of the ticket fits in 344 bytes, then it will default
to simply returning the encrypted part of the ticket as a token.  If
it turns out that the AFS server does not support the ticket, then
users will get an unknown key version error and the krb524d must be
configured to use v4 tickets for this AFS service.

The krb524d looks in the appdefaults  section of krb5.conf for an
application called afs_krb5 to determine whether  afs principals
support encrypted ticket parts as tokens.  The following configuration
fragment says that [EMAIL PROTECTED] supports the new
token format but [EMAIL PROTECTED] and
[EMAIL PROTECTED] do not.  Note that the default is to
assume afs servers support the new format.

[appdefaults]
afs_krb5 = { 
        ATHENA.MIT.EDU = {
                # This stanza describes principals in the
                #ATHENA.MIT.EDU realm
                afs = false
                afs/athena.mit.edu = false
                afs/sipb.mit.edu = true
        }
}
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to