KerberosV

Kerberos is a network authentication system which is available for Unix, Windows, Macintosh, and I'm sure lots of other platforms.

How does this relate to OpenAFS? OpenAFS uses Kerberos to perform strong authentication for clients connecting to the AFS filespace. If you're new to Kerberos, you should take a look at the Kerberos FAQ located at http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html. For the impatient, a quick list of useful Kerberos-related terms will be available at KerberosTerms.

Note that there are two versions of Kerberos in wide usage. The latest is KerberosV, but AFS, for historical reasons, uses a modified version of Kerberos 4 (see KaServer). However, AFS can be integrated into a KerberosV realm, and in fact is highly suggested for any new installations of AFS. See ?SettingUpAuthentication.

Installing KerberosV along with OpenAFS will provide the basis for many other very cool features, such as a single repository for all authentication information for an administrative domain, integration with the Windows 2000/XP login mechanism, and even single-sign-on capability. Note that the further down you get in that list, the harder things become.

The installation documentation on the OpenAFS web site unfortunately does not include any information on integrating AFS into a KerberosV realm. (Work on install document & gotchas page later)

To compile OpenAFS with KerberosV support you need to use the --with-krb5-conf=/path/to/krb5-config flag to configure.

If you're using KerberosVMIT versions 1.2.6 or later, you'll need to add a section to krb5.conf on the krb524d host if you wish to continue using old-style ?KerberosIV ticket derived tokens.

[appdefaults]
afs_krb5 = {
      REALM.NAME = {
                    afs = false
                    afs/cell.name = false
      }
}

Where REALM.NAME and cell.name are the names of your ?KerberosRealm and ?AFSCell respectively.

If you already have a working AFS cell using KaServer, check out ?DerrickBrashear's document for converting from the KaServer to HeimdalKTH here:

For now a few links... explanations to follow later:

Setting up ?OpenSSH to use KerberosV authentication: you can either use PAM to authenticate people (boring) or you can add the patches at http://www.sxw.org.uk/computing/patches/openssh.html to use existing KerberosV tickets for single-sign-on and automatic ticket forwarding (interesting). Note that by default this patch won't grab tickets when logging in via password - post small patch to enable this later.
If you're having trouble with ?KenHornstein's AFS-Kerberos5 migration kit available at ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/, see http://www.mathematik.uni-karlsruhe.de/~iwrmm/Persons/Schulz/Unix/afs/afs-krb5.html for tips. In particular check out the Makefile patches.
?DenizKanca posted Kerberos 5 and OpenAFS - Notes available on 19-Jan-2003 saying
... I took some notes on what I did when I set up Kerberos 5 and
```
<a href="../OpenAFS/">OpenAFS</a>

. Please note that this was done on a Redhat 8.0 installation and Redhat specifics (rpm, directory names etc) are assumed throughout.

<a href="http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html">http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html</a>

...</li>
```
John Boyland has a patch for Ken Hornstein's AFS Migration Kit v 2.0 that fixes some typos and includes updates suggested by other OpenAFS contributors.

An older AFS link page: http://www-2.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs.html

Some other issues to explain:

PAM modules available for K5
Admin differences between various K5 implementations
krb524d -- which uses a K5 TGT to produce a V4 AFS service ticket which the ?CacheManager needs. It does not need to run on the same machine as the KerberosV server but just needs access to the AFS principal's key. This is not needed for HeimdalKTH which implements V4 and V5 services, but is for MIT and ActiveDirectory.
encryption types -- this is a per key property and V5 supports several (while V4 only supported one, namely what V5 calls des-cbc-crc). However, this is not the V5 default (which I think is des3) so you need to ensure that the AFS principal uses des-cbc-crc.
StringToKey differences

Links

KerberosV version 1.3.1