[OpenAFS] OpenAFS with MIT Kerberos >= 1.2.6

Wed, 9 Oct 2002 13:30:03 +0200

--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hiho!

I'm using OpenAFS 1.2.7 with Kerberos 5 and after upgrading to the 1.2.6
Release of MIT Kerberos yesterday, the afsd started rejecting tokens.

After diving into the Documentation (if all else fails, read the docs :)
i disabled the "new style" of afs tokens in the [appdefaults] section
of the krb5.conf file on all hosts as follows:

[appdefaults]
afs_krb5 =3D {
	MYREALM.DOM =3D {
		afs =3D false
	}
}

"MYREALM.DOM" is of course just an example.

Apparently, Kerberos 1.2.6 is not only able to return the encrypted part
of a Kerberos 5 Ticket as a Token to an "afs/*@*" principal but does so
by default. The user has to disable it manually, if the AFS Server is
unable to use the Token, which seems to be the case with my OpenAFS
installation (1.2.7, compiled from unpatched sources, linked against
MIT Kerberos 5 1.2.5) or my Kerberos Migration Kit (Version 1.3).

Question: Is it/will it be possible to use this feature, rather then disabl=
e it,
with some Release of OpenAFS? Which one? How? I seem to be unable to
find any docs about this, other than the short notice in the MIT Kerberos 5=
 source tree.

It would be nice to get rid of Kerberos 4 and single DES in the long
run.

Kind regards
	Friedel
--=20
	Friedrich Delgado Friedrichs <friedel@nomaden.org>
Laziness led to the invention of the most useful tools.

--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iEYEARECAAYFAj2kEzsACgkQCTmCEtF2zEBVuwCeO2kg+BEfaEGgadqL5wNFwVgK
BOQAniF1RCzJlm4YWh7J7K7tg9lR2Mzd
=u/oo
-----END PGP SIGNATURE-----

--Kj7319i9nmIyA2yE--