--- /dev/null
+As of Windows NT version 5.0, normally known by the name Windows 2000, the domain controller (aka [[ActiveDirectory]]) uses [[KerberosV]] for authentication.
+
+The resulting TGT tickets use a proprietary authorization data format. There was a big flamefest on this issue, though [[KerberosDCE]] also uses the V5 ticket's authorization data field to store group membership data, the details of Microsoft's format was murky.
+
+[[NathanNeulinger]] has used Windows 2000 to provide authentication for AFS. See his [message](http://lists.openafs.org/pipermail/openafs-info/2002-January/002893.html) to [[OpenAFSInfo]] for details.
+
+-- [[TedAnderson]] - 23 Jan 2002
+
+----
+
+See [[KerberosV]], [[KerberosDCE]].
-[[KaServer]]
+An assortment of commands and tools related to AFS authentication sorted by authentication system.
+
+<div>
+ <ul>
+ <li><a href="#KaServer -- the AFS version of K"> KaServer -- the AFS version of Kerberos version 4</a></li>
+ <li><a href="#KerberosIV -- the MIT reference"> KerberosIV -- the MIT reference for version 4</a></li>
+ <li><a href="#KerberosV -- the MIT reference f"> KerberosV -- the MIT reference for version 5</a></li>
+ <li><a href="#KerberosDCE -- the DCE version o"> KerberosDCE -- the DCE version of version 5</a></li>
+ <li><a href="#HeimdalKTH -- the international"> HeimdalKTH -- the international version of Kerberos version 5</a></li>
+ <li><a href="#ActiveDirectory -- the Microsoft"> ActiveDirectory -- the Microsoft version of Kerberos version 5</a></li>
+ <li><a href="#Other commands"> Other commands</a></li>
+ </ul>
+</div>
+
+## <a name="KaServer -- the AFS version of K"></a> [[KaServer]] -- the AFS version of Kerberos version 4
+
+The klog command (and kpasswd too) try several [[StringToKey]] functions.
- klog -- authentication with [[KaServer]] by getting AFS service tickets and sending them to the (kernel) [[CacheManager]]. Can save the TGT in a file compatible with kinit (V4) as a non-default option.
- kpasswd -- change password in [[KaServer]]
- kas -- administrative interface to [[KaServer]]
+- inetd -- passes authentication information to network servers. See [inetd ](http://www.cs.rose-hulman.edu/docs/afs-doc/html/AdminRef/auarf179.htm#HDRINETD). [Avoid](http://lists.openafs.org/pipermail/openafs-devel/2002-January/002351.html).
+- r\* commands -- passes authentication information between trusting hosts (over a secure network). See [Remote Services](http://www.cs.rose-hulman.edu/docs/afs-doc/html/AdminGd/auagd007.htm#HDRWQ78). [Avoid](http://lists.openafs.org/pipermail/openafs-devel/2002-January/002351.html) and [thread](http://lists.openafs.org/pipermail/openafs-devel/2002-January/002372.html). These are not built by default in [[OpenAFS]] unless --enable-insecure is specified.
-[[KerberosIV]]
+## <a name="KerberosIV -- the MIT reference"></a><a name="KerberosIV -- the MIT reference "></a> [[KerberosIV]] -- the MIT reference for version 4
- kinit -- authenticates using standard UDP port 750. Also works with [[KaServer]] but doesn't get AFS service tickets (tokens).
+- ktadd -- adds a new key/principal to KDC (or changes the key if it already exists?)
-[[KerberosV]]
+## <a name="KerberosV -- the MIT reference f"></a> [[KerberosV]] -- the MIT reference for version 5
+
+There are more types of [[StringToKey]] functions in V5.
- kinit -- authenticates using standard UDP port 88. Works with DCE, [[HeimdalKTH]] and [[ActiveDirectory]] (maybe?).
+- ktadmin
+- ktadd
+- kprop
-[[KerberosDCE]]
+## <a name="KerberosDCE -- the DCE version o"></a> [[KerberosDCE]] -- the DCE version of version 5
- kinit -- authenticates to DCE Security Server and also obtains authorization informaion (groups) from the DCE Privilege Server.
- chpass -- change password
- dcecp -- admin suite
-[[ActiveDirectory]]
+## <a name="HeimdalKTH -- the international"></a><a name="HeimdalKTH -- the international "></a> [[HeimdalKTH]] -- the international version of Kerberos version 5
+
+Here's some [mail](http://lists-openafs.central.org/pipermail/openafs-info/2001-April/000591.html) from [[DerrickBrashear]] for using [[HeimdalKTH]] for AFS authentication.
+
+- afslog
+- ktutil -- for example to create a [[KeyFile]] for AFS servers you can use this sequence<br />`ktutil -k keytab.afs get afs@MY.REALM`<br />`ktutil copy FILE:keytab.afs AFSKEYFILE:/usr/vice/etc/KeyFile`<br /> It can also convert from `srvtab` format.
+- hprop -- initializes a database from [[KaServer]] (?)
+- ipropd -- propagates KDC databases between master and slave servers?
-- uses its own authorization data format. Big flamefest on this issue.
+## <a name="ActiveDirectory -- the Microsoft"></a> [[ActiveDirectory]] -- the Microsoft version of Kerberos version 5
-Others
+## <a name="Other commands"></a> Other commands
-- aklog -- converts V5 TGT to AFS service tickets and gives them to the [[CacheManager]].
+- aklog -- converts V5 TGT to AFS service tickets and gives them to the [[CacheManager]]. Is this part of the standard MIT K5 distribution?
+- ka-forwarder -- allows klog to work in V5 environments, not needed if you are willing to use kinit/aklog. This is a [[HeimdalKTH]] tool?
+- asetkey -- converts a V5 keytab file containing the AFS service ticket key and stores it into a [[KeyFile]] which AFS servers understand.
+- fakeka
+- r\* commands -- where to get safe kerberized versions?
-- [[TedAnderson]] - 23 Jan 2002
There are basically three options with several variants
- [[KaServer]] -- the standard option to comes with IBMAFS, implements [[KerberosIV]] with some custom features.
-- [[KerberosIV]] -- the original MIT implementation, and [[Krb4KTH]], an export version of [[MITKerberosIV]] (aka "bones"), but with encryption support put back in by the fine folks at KTH.
+- [[KerberosIV]] -- the original MIT implementation, and [[Krb4KTH]], an export version of [[KerberosIVMIT]] (aka "bones"), but with encryption support put back in by the fine folks at KTH.
- [[KerberosV]] -- version five of this protocol has numerous improvements over version four and is available from many sources: MIT, DCE, Microsoft (aka [[ActiveDirectory]]) and [[HeimdalKTH]].
The consensus these days is to use [[KerberosV]], even though lacking native support for V5, AFS still needs various conversion and migration tools.
- SSH -- There are two issues. First is mutually authenticating you and the SSH server to each other using Kerberos. Second is passing local AFS authentication to the remote shell (in this case an AFS Client) in the form of AFS service tickets (tokens).
- these instructions from [[CharlesClancy]] for building openssh might be useful <http://lists.openafs.org/pipermail/openafs-info/2002-January/002846.html>
- another perspective from [[OwenLeBlanc]] <http://lists.openafs.org/pipermail/openafs-info/2002-January/002856.html>
+- How to choose between [[KaServer]], [[KerberosVMIT]], [[HeimdalKTH]] and [[ActiveDirectory]].
+- [[StringToKey]] issues.
+- Authenticating applications that need AFS access and can't depend upon human interaction to enter a password.
+- [[ProcessAuthenticationGroups]] (aka PAGs).
-- [[TedAnderson]] - 23 Jan 2002
git://git.openafs.org / openafs-wiki.git / commitdiff