%META:TOPICINFO{author="JosephHVilas" date="1109632471" format="1.0" version="1.9"}%
%META:TOPICPARENT{name="KaServer"}%
An assortment of commands and tools related to AFS authentication sorted by authentication system.
%TOC%
---++ KaServer -- AFS version of Kerberos V4
The klog command (and kpasswd too) try several StringToKey functions.
* klog -- authentication with KaServer by getting AFS service tickets and sending them to the (kernel) CacheManager. Can save the TGT in a file compatible with kinit (V4) as a non-default option.
* tokens -- displays AFS service tickets (tokens) held by the CacheManager.
* kpasswd -- change password in KaServer.
* kas -- administrative interface to KaServer
* inetd -- passes authentication information to network servers. See [[http://www.cs.rose-hulman.edu/docs/afs-doc/html/AdminRef/auarf179.htm#HDRINETD][inetd ]]. [[http://lists.openafs.org/pipermail/openafs-devel/2002-January/002351.html][Avoid]].
* r* commands -- passes authentication information between trusting hosts (over a secure network). See [[http://www.cs.rose-hulman.edu/docs/afs-doc/html/AdminGd/auagd007.htm#HDRWQ78][Remote Services]]. [[http://lists.openafs.org/pipermail/openafs-devel/2002-January/002351.html][Avoid]] and [[http://lists.openafs.org/pipermail/openafs-devel/2002-January/002372.html][thread]]. These are not built by default in OpenAFS unless --enable-insecure is specified.
---++ KerberosIV -- MIT reference for V4
* kinit -- authenticates using standard UDP port 750. Also works with KaServer but doesn't get AFS service tickets (tokens).
* ktadd -- adds a new key/principal to KeyDistributionCenter (KDC) (or changes the key if it already exists?)
---++ KerberosV -- MIT reference for V5
There are more types of StringToKey functions in V5.
Main.CharlesClancy posted a Perl [[http://lists.openafs.org/pipermail/openafs-info/2002-January/003060.html][script]] that provides a kas interface to kadmin, so that existing scripts (and users) that use kas can easily work in a K5 environment.
Main.DerekAtkins provides this handy mapping from KerberosVMIT to KaServer:
| *KerberosVMIT* | *KaServer* |
| kinit + aklog/afslog | klog |
| kadmin | kas |
| kpasswd | kpasswd |
* kinit -- authenticates using standard UDP port 88. Works with DCE, HeimdalKTH and ActiveDirectory (maybe?).
* kpasswd -- change KDC password.
* klist -- displays contents of ticket cache.
* ktadmin
* ktadd -- add a principal
=ktadd -k /etc/krb5/keytab -e des-cbc-crc:v4 afs@CS.UMD.EDU=
* ktremove -- removes a principal from the KDC
* kprop
---++ KerberosDCE -- DCE version of V5
* kinit -- authenticates to DCE Security Server and also obtains authorization informaion (groups) from the DCE Privilege Server.
* chpass -- change password
* dcecp -- admin suite
---++ HeimdalKTH -- International version of Kerberos V5
Here's some [[http://lists-openafs.central.org/pipermail/openafs-info/2001-April/000591.html][mail]] from Main.DerrickBrashear for using HeimdalKTH for AFS authentication. An updated version of this document can be found [[http://lost-contact.mit.edu/afs/net/project/afs32/andrew.cmu.edu/usr/shadow/ka2heim.txt][here]]: file:/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt
The kas wrapper mentioned above maybe useful for Heimdal environments too.
* afslog
* ktutil -- for example to create a KeyFile for AFS servers you can use this sequence
=ktutil -k keytab.afs get afs@MY.REALM=
=ktutil copy FILE:keytab.afs AFSKEYFILE:/usr/vice/etc/KeyFile=
It can also convert from =srvtab= format.
* hprop -- initializes a database from KaServer (?)
* ipropd -- propagates KDC databases between master and slave servers?
---++ ActiveDirectory -- Microsoft version of Kerberos V5
---++ Other commands
* aklog -- converts V5 TGT to AFS service tickets and gives them to the CacheManager. Is this part of the standard MIT K5 distribution?
* ka-forwarder -- allows klog to work in V5 environments, not needed if you are willing to use kinit/aklog. This is a HeimdalKTH tool?
* asetkey -- converts a V5 keytab file containing the AFS service ticket key and stores it into a KeyFile which AFS servers understand.
* fakeka
* r* commands -- where to get safe kerberized versions?
* pts -- suite of commands for accessing the PtServer to manage AFS groups in all authentication environments.
* uss -- user creation tool. It is [[http://www.openafs.org/pages/doc/AdminReference/auarf242.htm#HDRUSS_INTRO][documented]] in the admin guide. It has some support for alternate authentication systems, but probably works best in KaServer environments.
---
See SettingUpAuthentication
-- Main.TedAnderson - 23 Jan 2002
-- Main.TedAnderson - 06 Feb 2002
-- Main.TedAnderson - 07 Mar 2002