[OpenAFS-devel] Re: aklog on OS X does not contact KDC to obtain AFS serivce principal

Marcus Crestani crestani@informatik.uni-tuebingen.de
Fri, 01 Aug 2014 08:10:18 +0200


>>>>>"AD" == Andrew Deason <adeason@sinenomine.net> writes:
AD> (And is this still needed on the newest OS X? Is there a point where
AD> we can get rid of shipping that file and just rely on the relevant
AD> libkrb5 call?)

The functionality that krb5-weak.conf tries to achieve won't be needed
on OS X from Yosemite (10.10) on forwards, since Yosemite's Kerberos
removes the support for 1-DES encryption types and thus
allow_weak_crypto does not have any effect whatsoever.  (We know this
because of testing the beta versions and talking to Apple; this is one
reason why we are in the process of rxkad'ing our AFS.)

-- 
Marcus