[4670] in Kerberos
Re: MIT Krb V/IV and AFS Krb.
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Wed Feb 22 22:07:50 1995
To: kerberos@MIT.EDU
Date: 23 Feb 1995 02:42:47 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
In article <WUS.95Feb22145924@sce-16>, wus@sce-16 (Steven Wu) writes:
|> Does anyone have some experience on setting up MIT Krb V/IV and AFS
|> krb and make them talk to each other? Since we really want to have
|> secure X including xdm, xlock and access control and AFS working. Also
|> we might want to have rcmd commands (rlogin, rsh...) things work
|> correctly.
Our site has Kerberos V working in conjunction with AFS with no problem. The
following steps should suffice:
1) Get and install MIT's Kerberos 5 distribution (our installation is based on
the beta 2 distribution, since that's what our OpenV*Secure product is based
on, but I see no reason why beta 4 wouldn't work just as well). Make sure to
enable Kerberos 4 compatibility when compiling Kerberos 5.
2) Install the krb524 package that Barry Jaspan wrote. It's included in
recent MIT Kerberos 5 distributions, although it isn't compiled by default.
Basically, it provides a daemon that resides on the Kerberos server and
accepts requests to convert V5 tickets into V4 tickets, and a k524init client
which users run to produce a V4 ticket file from their V5 ticket file.
3) Install the aklog program distributed by MIT Athena. One version of it is
available in /afs/athena.mit.edu/astaff/project/afsdev/src/athena/aklog,
although I'm not sure that's the most up-to-date version. This program allows
you to authenticate to an AFS cell using an existing Kerberos V4 ticket file.
I believe Marc Horowitz is working on a version of aklog which uses the krb524
calls directly, so that it's possible to aklog directly from a V5 ticket file,
but I don't think he's done with it enough to distribute it yet (if he is,
he'll probably speak up :-).
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
