( click here to skip navigation links )
 
NC State University College of Engineering
-( Eos )-  
< Home News Guide Labs Software Help About
 
     
 

About Authentication: Kerberos, AFS, WolfCall, and You

    
 
         
     

For more information about Kerberos, see the NRL Kerberos FAQ.

To get access to AFS filespace, you need an AFS client.

Normal, everyday AFS clients are built with the assumption that you will be logging in to/authenticating against the AFS version of the Kerberos Authentication Server, known as the kaserver. The command used to do this with the AFS client is klog, but the AFS client for Windows also includes a Windows-based system tray application for AFS authentication.

At NC State Univerity and in the College of Engineering, we do not use the kaserver. Rather, we use a standard MIT Kerberos Authentication Server known as the Key Distribution Center, or KDC. Using the KDC allows us to use AFS in a more flexible way and provides the ability to use a wider range of services that use the Kerberos protocol for authentication.

So you need a Kerberos client to authenticate against the KDC (using the kinit command or the leash32 application that is part of the Kerberos for Windows software from MIT).

With most services that use Kerberos, the Kerberos client authentication would suffice for use by the service. However, while the AFS client does use Kerberos for authentication, it uses it in a way that is a little different from the standard way that the MIT software implements the Kerberos protocol.

This means that you cannot use an AFS Client "out of the box" at NC State University.

Fortunately, the way Kerberos (version 4) works in the standard MIT implementation is very close to the way it is implemented in the AFS client. Also, there is a way to convert your MIT Kerberos authentication (i.e., Kerberos tickets or credentials) to AFS Kerberos authentication (AFS tokens). This conversion routine is often called aklog after the name of the program that does it on most Unix-based operating systems.

So, as long as you have done an initial authentication to our MIT KDC and have your KerberosV4 primary ticket/credential (known as your "ticket-granting-ticket," or TGT, because it is used to get tickets/credentials for each service that uses Kerberos), you can use this aklog function to obtain MIT KDC service tickets for the AFS cells at NCSU and convert those service tickets to AFS tokens. ("Cell" is the term for the "administrative domain" for AFS. Each cell has its own set of servers, accounts, groups, information about files, etc.)

WolfCall's primary purpose is to do this aklog step. Also, WolfCall will do the initial kinit against the NCSU KDC. In addition, WolfCall has functionality for managing drive mappings to AFS space, combining the functionality of three or four separate command-line and Windows applications into one single Windows-based application.

    

WolfCall Home

WolfCall News

Installation Instructions

Frequently Asked Questions

WolfCall Statement of Support

Troubleshooting Remote Access

 

Technical Documents

About Authentication

Auto-login White Paper

Interoperation with Firewalls

Locking down NetBIOS

Microsoft Loopback Adapter

WolfCall Reference

kaserver
Kerberos authentication server that comes with AFS. Used at NCSU only for special administrative accounts.
 
klog
The process of authenticating against an AFS kaserver. Also the name of the command-line program that prompts for your username/password.
 
KDC
Key Distribution Center. The term for the Kerberos "server" (actually multiple servers with the same list of users and encrypted passwords) that you authenticate to at NCSU.
 
kinit
The process of authenticating against the KDC. Also the name of the command-line program that prompts for your username/ password.
 
tickets
Also credentials, that is, what you get back from the KDC (stored in a file or in memory) that is used as your proof of authentication.
 
tokens
Your proof of authentication for AFS, stored in protected memory space by the AFS client service. Also the name of the command-line program that will display your current tokens.
 
aklog
The process of converting KDC service tickets for AFS into AFS tokens. Also the name of the command-line program that will do the conversion on most Unix- and Linux-based platforms.
 
ticket-granting-ticket
(TGT)
The initial ticket obtained by the Kerberos client, used to prove identity to KDC to obtain service-granting tickets
 
service-granting-ticket
(SGT)
The ticket obtained by the Kerberos client for each Kerberos-using service you want to access. The aklog process converts service-granting tickets for each of the three AFS cells at NCSU (eos.ncsu.edu, unity.ncsu.edu, bp.ncsu.edu) into AFS tokens.
 
         

< to Top]

< Home News Guide Labs Software Help About

 

Information Technology and Engineering Computer Services (ITECS)
College of Engineering, North Carolina State University, Raleigh, NC 27695
Comments to eoshelp@ncsu.edu. URL: http://www.eos.ncsu.edu/

 [ ENGR Template ]

 

This support page is for students, faculty, and
staff at North Carolina State University.