[OpenAFS-devel] Krb5-only and KeyFile?
Troy Benjegerdes
hozer@hozed.org
Mon, 6 Jun 2005 14:55:39 -0500
On Mon, Jun 06, 2005 at 01:23:34PM -0400, Jeffrey Hutzelman wrote:
>
>
> On Sunday, June 05, 2005 01:22:18 PM -0500 Troy Benjegerdes
> <hozer@hozed.org> wrote:
>
> >On Sun, Jun 05, 2005 at 12:08:35PM -0400, Jeffrey Altman wrote:
> >>Troy Benjegerdes wrote:
> >>
> >> > This seems to keep getting discussed. Does anyone have a roadmap of
> >> > what needs to be done to get to full native Krb5 support, and doing
> >>> away with a dependence on des keys?
> >>
> >>Full krb5 support is available to you now. The only restriction is
> >>that you must use a DES key for the AFS service principal.
> >
> >So is there an aklog (or something like it) that does not require running
> >krb524d?
>
> It is possible to build such an aklog, yes. Heimdal's libkafs and afslog
> support this mode of operation; to enable it, you need to set "afs-use-524"
> to either "local" or "2b" in the [appdefaults] section of krb5.conf (the
> "local" setting will set full krb5 tickets as tokens; the "2b" setting will
> set rxkad-2b tokens, which are smaller and may be required for older cache
> managers or if your tickets are unusually large for some reason).
So, if I'm interested in getting openafs/src/aklog/ updated, and
included, would it maybe be best to try to port libkafs to work with
both heimdal and MIT kerberos? (and the corresponding configure hackery
to auto-detect which flavor?)
I sort-of have an aklog working based on the stuff in src/aklog, and it
seems to at least get me tokens... but I suspect it knows nothing about
full krb5 tickets.
Anyone else have comments/suggestions/patches?