Previous: Authentication modules, Up: Applications

5.2 AFS

AFS is a distributed filesystem that uses Kerberos for authentication.

For more information about AFS see OpenAFS and Arla

5.2.1 kafs and afslog

afslog(1) will obtains AFS tokens for a number of cells. What cells to get tokens for can either be specified as an explicit list, as file paths to get tokens for, or be left unspecified, in which case will use whatever magic kafs(3) decides upon.

If not told what cell to get credentials for, kafs(3) will search for the files ThisCell and TheseCells in the locations specified in kafs(3) and try to get tokens for these cells and the cells specified in $HOME/.TheseCells.

More usefully it will look at and ~/.TheseCells in your home directory and for each line which is a cell get afs token for these cells.

The TheseCells file defines the the cells to which applications on the local client machine should try to aquire tokens for. It must reside in the directories searched by kafs(3) on every AFS client machine.

The file is in ASCII format and contains one character string, the cell name, per line. Cell names are case sensitive, but most cell names are lower case.

See manpage for kafs(3) for search locations of ThisCell and TheseCells.

5.2.2 How to get a KeyFile

ktutil -k AFSKEYFILE:KeyFile get afs@MY.REALM

or you can extract it with kadmin

     kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@My.CELL.NAME

You have to make sure you have a des-cbc-md5 encryption type since that is the enctype that will be converted.

5.2.3 How to convert a srvtab to a KeyFile

You need a /usr/vice/etc/ThisCell containing the cellname of your AFS-cell.

ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile.

If keyfile already exists, this will add the new key in afs-srvtab to KeyFile.

5.3 Using 2b tokens with AFS

5.3.1 What is 2b ?

2b is the name of the proposal that was implemented to give basic Kerberos 5 support to AFS in rxkad. It's not real Kerberos 5 support since it still uses fcrypt for data encryption and not Kerberos encryption types.

Its only possible (in all cases) to do this for DES encryption types because only then the token (the AFS equivalent of a ticket) will be smaller than the maximum size that can fit in the token cache in the OpenAFS/Transarc client. It is a so tight fit that some extra wrapping on the ASN1/DER encoding is removed from the Kerberos ticket.

2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for the part of the ticket that is encrypted with the service's key. The client doesn't know what's inside the encrypted data so to the client it doesn't matter.

To differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens.

Its a requirement that all AFS servers that support 2b also support native Kerberos 5 in rxkad.

5.3.2 Configuring a Heimdal kdc to use 2b tokens

Support for 2b tokens in the kdc are turned on for specific principals by adding them to the string list option [kdc]use_2b in the kdc's krb5.conf file.

     	use_2b = {
     		afs@SU.SE = yes
     		afs/ = yes

5.3.3 Configuring AFS clients for 2b support

There is no need to configure AFS clients for 2b support. The only software that needs to be installed/upgrade is a Kerberos 5 enabled afslog.