[OpenAFS] The new KRB 5 feature in 1.2.8
Patrick Boettcher
empmp@gmx.de
Wed, 18 Dec 2002 07:03:27 +0100
Hello List,
When I was reading the topic "Native Kerberos 5 support" of the release
notes from 1.2.8 I'm wondering: What does the new feature mean?
I hoped it means that afsd accepts now kerberos 5 tickets in the kerberos 5
ticket cache to figure out the user is allowed to write to afs.
Where can I read more about the feature to understand it totally, or is
someone on this list who is able to explain it a little more detailed?
Thanks in advance,
Patrick Boettcher
PS: for all who haven't read the release notes yet, here the part about krb5:
----
* Native Kerberos 5 support: rxkad 2b
AFS is now capable of using Kerberos 5 for authentication via rxkad
2b. Clients do not need to be updated to take advantage of this,
although they must be using a Kerberos 5 based aklog. A krb5 aklog is
available as part of Ken Hornstein's afs-krb5 migration kit. To use
rxkad 2b, your AFS servers must be running OpenAFS 1.2.8, and your
KDCs must be running MIT Kerberos 5 1.2.6 or later. The krb524d
included in MIT Kerberos 5 1.2.6 will respond to requests for AFS
service tickets with only the encrypted part of a Kerberos 5 ticket.
krb524d can be configured to not do this on a per principal basis.
More information on configuring this krb524d behavior is available in
the README for MIT Kerberos 5 1.2.6 and later.
Support for this is not yet available in Heimdal, but will be present
in a forthcoming release.
Note that to use this feature, you must be running a krb524d. A new
version of aklog that eliminates the need for krb524d is under development
and will be available in the near future.
OpenAFS servers will continue to accept Kerberos 4 derived tokens, so
it is not necessary to immediately upgrade your aklog or KDCs if you do
not wish to take advantage of this new feature.
----