An assortment of commands and tools related to AFS authentication sorted by authentication system.

?KaServer -- AFS version of Kerberos V4

The klog command (and kpasswd too) try several ?StringToKey functions.

  • klog -- authentication with ?KaServer by getting AFS service tickets and sending them to the (kernel) ?CacheManager. Can save the TGT in a file compatible with kinit (V4) as a non-default option.
  • tokens -- displays AFS service tickets (tokens) held by the ?CacheManager.
  • kpasswd -- change password in ?KaServer.
  • kas -- administrative interface to ?KaServer
  • inetd -- passes authentication information to network servers. See inetd . Avoid.
  • r* commands -- passes authentication information between trusting hosts (over a secure network). See Remote Services. Avoid and thread. These are not built by default in ?OpenAFS unless --enable-insecure is specified.

?KerberosIV -- MIT reference for V4

  • kinit -- authenticates using standard UDP port 750. Also works with ?KaServer but doesn't get AFS service tickets (tokens).
  • ktadd -- adds a new key/principal to ?KeyDistributionCenter (KDC) (or changes the key if it already exists?)

?KerberosV -- MIT reference for V5

There are more types of ?StringToKey functions in V5.

Charles Clancy posted a Perl script that provides a kas interface to kadmin, so that existing scripts (and users) that use kas can easily work in a K5 environment.

Derek Atkins provides this handy mapping from ?KerberosVMIT to ?KaServer:

?KerberosVMIT ?KaServer
kinit + aklog/afslog klog
kadmin kas
kpasswd kpasswd
  • kinit -- authenticates using standard UDP port 88. Works with DCE, ?HeimdalKTH and ActiveDirectory (maybe?).
  • kpasswd -- change KDC password.
  • klist -- displays contents of ticket cache.
  • ktadmin
  • ktadd -- add a principal
    ktadd -k /etc/krb5/keytab -e des-cbc-crc:v4 afs@CS.UMD.EDU
  • ktremove -- removes a principal from the KDC
  • kprop

?KerberosDCE -- DCE version of V5

  • kinit -- authenticates to DCE Security Server and also obtains authorization informaion (groups) from the DCE Privilege Server.
  • chpass -- change password
  • dcecp -- admin suite

?HeimdalKTH -- International version of Kerberos V5

Here's some mail from Derrick Brashear for using ?HeimdalKTH for AFS authentication. An updated version of this document can be found here:

The kas wrapper mentioned above maybe useful for Heimdal environments too.

  • afslog
  • ktutil -- for example to create a ?KeyFile for AFS servers you can use this sequence
    ktutil -k keytab.afs get afs@MY.REALM
    ktutil copy FILE:keytab.afs AFSKEYFILE:/usr/vice/etc/KeyFile
    It can also convert from srvtab format.
  • hprop -- initializes a database from ?KaServer (?)
  • ipropd -- propagates KDC databases between master and slave servers?

ActiveDirectory -- Microsoft version of Kerberos V5

Other commands

  • aklog -- converts V5 TGT to AFS service tickets and gives them to the ?CacheManager. Is this part of the standard MIT K5 distribution?
  • ka-forwarder -- allows klog to work in V5 environments, not needed if you are willing to use kinit/aklog. This is a ?HeimdalKTH tool?
  • asetkey -- converts a V5 keytab file containing the AFS service ticket key and stores it into a ?KeyFile which AFS servers understand.
  • fakeka
  • r* commands -- where to get safe kerberized versions?
  • pts -- suite of commands for accessing the ?PtServer to manage AFS groups in all authentication environments.
  • uss -- user creation tool. It is documented in the admin guide. It has some support for alternate authentication systems, but probably works best in ?KaServer environments.

See ?SettingUpAuthentication

-- Ted Anderson - 23 Jan 2002 -- Ted Anderson - 06 Feb 2002 -- Ted Anderson - 07 Mar 2002