[OpenAFS] krb5 inclusion in client build = NO kaserver auth whatsoever?
Douglas E. Engert
deengert@anl.gov
Mon, 03 Dec 2007 09:53:41 -0600
Derrick Brashear wrote:
>
>
> On Dec 3, 2007 10:16 AM, Jeff Blaine <jblaine@kickflop.net
> <mailto:jblaine@kickflop.net>> wrote:
>
> I'm trying to deduce the depth of effect from building
> OpenAFS client tarballs with '--with-krb5-conf=...'
>
> During our transition to krb5 auth, I'd like our clients
> to have an OpenAFS allowing kaserver auth, but I obviously
> want aklog in place for those willing to test krb5 + aklog.
>
> Can anyone save me some testing time and comment on the
> fesibility of that?
>
>
> 3 choices:
>
> krb5kdc with fakeka (if mit) or with kaserver-compat enabled (if
> heimdal) in place of kaserver
>
> or
>
> sync the key key between the kaserver and the krb5kdc
>
> or
>
> different realm name for krb5 and kaserver, and 2 keys (with different
> kvnos) on all the afs servers.
Realm names can be the same. Just make sure kvnos are different.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444