[601] in Kerberos-V5-bugs
Re[4]: Using Aklog with Kerberos 5.4.1 to get an AFS Tok
daemon@ATHENA.MIT.EDU (gr_johnson@gate.pnl.gov)
Tue Jul 26 09:40:47 1994
Date: Tue, 26 Jul 1994 06:18 -0700 (PDT)
From: gr_johnson@gate.pnl.gov
To: tytso@MIT.EDU
Cc: DEEngert@anl.gov, krb5-bugs@MIT.EDU, auth-pilot@es.net, kerberos@MIT.EDU
Thanks. And I appreciate the assistance you've given Doug and the
other members of the ESnet authentication pilot project over the past
couple of months.
Jerry
______________________________ Reply Separator _________________________________
Subject: Re: Re[2]: Using Aklog with Kerberos 5.4.1 to get an AFS Tok
Author: tytso@MIT.EDU at -SMTPlink
Date: 7/25/94 10:03 PM
Date: Mon, 25 Jul 1994 08:49 -0700 (PDT)
From: gr_johnson@gate.pnl.gov
So, Ted, do you have an alternative suggestion for how Doug can
achieve his objective of using K5 to get AFS tokens with the least
amount of baggage?
Fundamentally, an AFS token *is* a K4 ticket.
So, there are a couple of relatively simple solutions. The first is to
build a kinit that gets a V4 and V5 tickets, from a V5 KDC with the V4
compatibility mode turned on, and then you simply use the unmodified
aklog program to get AFS tokens from your V4 ticket cache. This
requires that you have a the V4 Kerberos library ported to all of your
platforms. Given that we already have the V4 Kerberos library under
Configure (graciously donated to the net by Cygnus Consulting, inc.)
this should be easy. I do intend to integrate this into a future
Kerberos V5 release, so it would be quite seamless.
The other is what Derek suggested, which is to run the krb425d on the
Kerberos server, and then use the krb425 program to get V4 tickets from
your V5 tickets, and then run the unmodified aklog program.
The final solution is to do something like what Doug did, which is to
modify aklog to call krb425d to convert a V5 ticket into a V4 ticket,
and then have aklog use that V4 ticket ---- what I objected to was his
modification of the krb425 library. As Doug noted in a later message,
he just did that out of expediency's sake; he could have easily cut the
code out, which would have been the right thing.
Personally, I'm in favor of the first solution; since it's much simpler
to simply request both V4 and V5 requests the first time, we probably
won't both running the krb425 daemon at MIT.
- Ted
