Token Acquisition Methods

AFS tokens can be obtained via several different methods. Each of the methods that are natively supported by the OpenAFS provider is described below. Note that the OpenAFS provider is extensible and other acquisition methods may be available other than those listed here.

Contents

Kerberos 5

A Kerberos 5 service ticket is obtained for the cell and used directly to construct the AFS token.

Kerberos 5 to 4 conversion (Kerberos 524)

A Kerberos 5 service ticket is obtained for the cell and then converted to a Kerberos 4 service ticket using the krb524 daemon. The resulting Kerberos 4 ticket is used to construct the AFS token.

Kerberos 4

A Kerberos 4 service ticket is obtained for the cell and then used to construct the AFS token. In order to use this method, the identity must be be configured to obtain Kerberos 4 tickets when obtaining and renewing credentials. Otherwise a Kerberos 4 TGT (ticket granting ticket) will not be available to obtain the service ticket with.

Automatic method selection

When the OpenAFS provider is configured to use automatic method selection for obtaining an AFS token, it iterates through the Kerberos 5, Kerberos 524 and Kerberos 4 methods until one of them succeeds. If a realm for the service ticket is specified, then the realm will be used for all methods.

The correct method to use for your AFS cell will depend on the configuration of the AFS cell and the associated Kerberos realm. In most cases, automatic method selection will determine the correct realm. However, other cases, the method will have to be specified explicitly.  Contact your AFS cell administrator to find out which token acquisition methods are supported.