[OpenAFS-devel] Document for authenticating against MIT K5/krb524d ?

[Ken Hornstein]

>Let me be a little clearer about what I want to do:

(These questions are I believe answered in the migration kit documentation,
but to cover them briefly here, since you'll have to read a fair amount to
get to them).

>This is a brand new cell and realm: there is no existing data to be
>migrated.  So do I just need an afs@REALM principal on the KDC, and
>ka-forwarder in place on the OpenAFS machines?

Yup.  Well, one additional thing: you'll need to place that service key
on your database/fileservers ... and make sure it's the SAME key on all
machines (just don't run ktadd on each machine).  You can't put it in
a regular keytab; you need to put it into a special "keyfile", and
the tool asetkey will do that.  Also note you'll need to make sure it's
a des-cbc-crc key, not a 3des key.

>There are no preexisting
>keys or kvnos that I have; do I still need to create them with kaserver
>and then migrate them, or can I just create them on the KDC?

Just create them on the KDC.

>Do I just
>skip creating the kaserver with bos and instead create a ka-forwarder?

Yup.

--Ken