[OpenAFS] OpenAFS Project List

Leonard R Smith II lrsmith@umich.edu
Wed, 14 Mar 2001 11:02:57 -0500 (EST) 

Derrick,

	The College of LSA, at University of Michigan, just did the
migration about one week ago. We had to modify the migration kit to work
with MIT Krb5-1.2.1, but after that it worked very well. We had no AFS
downtime, and authentication services were unavailable for 8 minutes while
we "migrated" the AFS Kas database and uploaded into the K5 KDC.

	When we were testing we did run into a problem with the NT AFS
client. The NT AFS client does not use the RX protocol, to obtain tokens.
Instead it talks to the KAS and/or Kerberos Server as if it was a "normal" K4
server. The NT client therefore does not use the fakeka program, from the
migration kit, as other AFS client would. This caused us some problems
with the clients token request.

	The problem we were seeing is that the NT Client token life was a
negative value and therefore was expired. However at the command line
we could obtain a token for 10 hours or less, anything else and it became
a negative value. It appears to be related to the life_to_time and time_to
life routines, with the K4 code.

	The Information Technology group, for the entire University (
ITCS ), had already modified the MIT source code to deal with the problem.
So we downloaded and have been using it since then without a problem.


	Hope this helps,
				Len Smith
				LSA IT UNIX Team
				University of Michigan



> > has significant security problems--fixed in the newest versions.  (We also
> > have an issue where Windows clients fail miserably when authenticating
> > against our krb5-bastardized AFS cell, but the lack of discussion of this
> > issue leads me to believe that this is either a local problem or else very
> > few sites are actively using the migration kit).
>
> You need to make sure that in addition to the afs3 keys you have, that you
> also have krb5-salted keys in your database, because that's what Windows
> expects to see. I know this works correctly with Heimdal, because we're
> using that for a KDC with krb4-salted and krb5-salted keys (we moved our
> AFS cell to krb4-salted keys several years ago)
>
> -D
>
>
>