[OpenAFS] The new KRB 5 feature in 1.2.8

[Patrick Boettcher]

Hello List,

When I was reading the topic "Native Kerberos 5 support" of the release 
notes from 1.2.8 I'm wondering: What does the new feature mean?
I hoped it means that afsd accepts now kerberos 5 tickets in the kerberos 5 
ticket cache to figure out the user is allowed to write to afs.

Where can I read more about the feature to understand it totally, or is 
someone on this list who is able to explain it a little more detailed?

Thanks in advance,
Patrick Boettcher


PS: for all who haven't read the release notes yet, here the part about krb5:
----
* Native Kerberos 5 support: rxkad 2b

AFS is now capable of using Kerberos 5 for authentication via rxkad
2b.  Clients do not need to be updated to take advantage of this,
although they must be using a Kerberos 5 based aklog.  A krb5 aklog is
available as part of Ken Hornstein's afs-krb5 migration kit.  To use
rxkad 2b, your AFS servers must be running OpenAFS 1.2.8, and your
KDCs must be running MIT Kerberos 5 1.2.6 or later.  The krb524d
included in MIT Kerberos 5 1.2.6 will respond to requests for AFS
service tickets with only the encrypted part of a Kerberos 5 ticket.
krb524d can be configured to not do this on a per principal basis.
More information on configuring this krb524d behavior is available in
the README for MIT Kerberos 5 1.2.6 and later.

Support for this is not yet available in Heimdal, but will be present
in a forthcoming release.

Note that to use this feature, you must be running a krb524d.  A new
version of aklog that eliminates the need for krb524d is under development
and will be available in the near future.

OpenAFS servers will continue to accept Kerberos 4 derived tokens, so
it is not necessary to immediately upgrade your aklog or KDCs if you do
not wish to take advantage of this new feature.
----