[OpenAFS] Kerberos upgrade logistics

Jim Green jfgreen@msu.edu
Fri, 13 Apr 2012 15:50:01 -0400

Hi, folks,

I made a posting to the Kerberos list on Wednesday and got a couple of
suggestions to also post here, so here goes:

At Michigan State, I am leading a project to upgrade our MIT Kerberos
central authentication service from version 1.6.3 to 1.10.1.  We will be
dropping support for the Kerberos 4 protocol.  We are a long-time AFS site
and most of the systems we've been able to identify that still rely on
Kerberos 4 are either systems that use old AFS clients, or
systems/applications that have homegrown authentication modules that use

The main drivers for this project are a) desire to support account lockout
for some users; b) desire to end-of-life Kerberos 4 support as recommended
in MIT's Kerberos 4 end of life announcement

I am interested in communicating with folks that have been down this path,
especially with AFS.  Anyone know of any medium to large research
institutions running Kerberos 1.7.x or higher with AFS?  If so, I'd
appreciate contact information.  And, anyone, please chime in if there's
some reason you know about that makes this idea totally crazy.  Thanks.  PS
I did get a response from my earlier posting to the Kerberos list that U. of
Michigan has done something like this, so I've emailed them directly.