[6114] in Kerberos
Re: AFS and Common Desk Top
daemon@ATHENA.MIT.EDU (Doug Engert)
Thu Nov 2 15:02:41 1995
Date: Thu, 02 Nov 95 13:44:28 CST
From: "Doug Engert" <DEEngert@anl.gov>
To: <warlord@MIT.EDU>, <kerberos@MIT.EDU>, <info-afs@transarc.com>,
<info-dce@transarc.com>
Cc: <harris@email.unc.edu>
Derek Atkins <warlord@MIT.EDU> wrote:
> How many groups are you in? On most platforms, the PAG is stored as
> special entries in the first two groups. However if you have too many
> groups, you will not be able to get a PAG, so AFS will default to
> using the UID.
That's not the problem I am concerned about. It is a problem
with AFS, which some of our users have run into.
I am only in 3 groups. Let me tell you
what I have now, and what I am trying to accomplish.
We are using the DCE security server as the KDC. But the Kerberos
KDC should work as well accept for the DCE context stuff.
I can use the Kerberos 5 beta 5 rlogin and rlogind to forward a
ticket from one machine to another.
I have a program k5dcelogin which can use the forwarded ticket to
get a DCE context. (DCE deletes the forwarded ticket cache and
creates its own, and sets a DCE PAG.) This program is invoked in
place of the login.krb5, and when it is done it transfers to
login.krb5. This works nicely since all the programs are run from
the same process.
I have a modified version of aklog which can use this forwarded
ticket to get a ticket for afsx/afs.cell.name, send it to
krb524d, which converts this to a v4 ticket for afs@afs.cell.name
and use this as a AFS token. (This aklog can also get a K5 ticket
which will work with the AFS/DFS translator.)
The problem is that the method of transferring from the rklogind
to k5declogin to login.krb5, will not work well with other
daemons such as ftpd, where I would like to use forwarded tickets
as well.
You can't link libkrb5.a and libdce.a in the same executable,
since they have the same named routines, but different
parameters, and different structures.
So I am looking at having ftpd spawn a child to do the K5 to DCE
and/or aklog processing. The problem comes in that the child is
setting the PAG, and not the parent.
I am looking at having the parent ftpd wait for the child to
complete, and pass back via a pipe the new name of the ticket
cache, and the groups number to be added for the PAG. Hope fully
this would be adequate, but I don't have source for DCE or AFS to
know if this will work in all cases. I hope to try this in a few
days.
Any ideas?
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
