[6delgado@informatik.uni-hamburg.de: [OpenAFS] OpenAFS with MIT Kerberos >= 1.2.6]

Friedrich Delgado Friedrichs 6delgado@informatik.uni-hamburg.de
Fri, 18 Oct 2002 13:04:39 +0200


--QKdGvSO+nmPlgiQ/
Content-Type: multipart/mixed; boundary="7JfCtLOvnd9MIVvH"
Content-Disposition: inline


--7JfCtLOvnd9MIVvH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

The configuration example mentioned in this mail might help with
Migrating OpenAFS to Kerberos 1.2.6.

Kind regards
	Friedel
--=20
	Friedrich Delgado Friedrichs <friedel@nomaden.org>
Laziness led to the invention of the most useful tools.

--7JfCtLOvnd9MIVvH
Content-Type: message/rfc822
Content-Disposition: inline

Received: from localhost ([127.0.0.1])
	by abrasax.taupan.ath.cx with esmtp (Exim 3.36 #1 (Debian))
	id 17zF5n-0001VD-00
	for <friedel@localhost>; Wed, 09 Oct 2002 13:33:31 +0200
Received: from rzdspc2.informatik.uni-hamburg.de [134.100.9.62]
	by localhost with IMAP (fetchmail-5.9.11)
	for friedel@localhost (single-drop); Wed, 09 Oct 2002 13:33:31 +0200 (CEST)
Received: from rzdspc1.informatik.uni-hamburg.de (root@rzdspc1.informatik.uni-hamburg.de [134.100.9.61])
	by rzdspc2.informatik.uni-hamburg.de (8.12.6/8.12.6) with ESMTP id g99BVOIx026392
	for <6delgado@informatik.uni-hamburg.de>; Wed, 9 Oct 2002 13:31:24 +0200 (CEST)
Received: from grand.central.org (GRAND.CENTRAL.ORG [128.2.194.109])
	by rzdspc1.informatik.uni-hamburg.de (8.12.6/8.12.6) with ESMTP id g99BVJtk004929
	for <6delgado@informatik.uni-hamburg.de>; Wed, 9 Oct 2002 13:31:19 +0200 (CEST)
Received: from grand.central.org (localhost.localdomain [127.0.0.1])
	by grand.central.org (Postfix) with ESMTP
	id 24B959D4E; Wed,  9 Oct 2002 07:31:05 -0400 (EDT)
Delivered-To: openafs-info@openafs.org
Received: from mailout08.sul.t-online.com (mailout08.sul.t-online.com [194.25.134.20])
	by grand.central.org (Postfix) with ESMTP id AF92F9D39
	for <openafs-info@openafs.org>; Wed,  9 Oct 2002 07:30:23 -0400 (EDT)
Received: from fwd02.sul.t-online.de 
	by mailout08.sul.t-online.com with smtp 
	id 17zF2g-000353-0G; Wed, 09 Oct 2002 13:30:18 +0200
Received: from abrasax.taupan.ath.cx (520097860562-0001@[217.80.9.253]) by fmrl02.sul.t-online.com
	with esmtp id 17zF2S-24toOWC; Wed, 9 Oct 2002 13:30:04 +0200
Received: from friedel by abrasax.taupan.ath.cx with local (Exim 3.36 #1 (Debian))
	id 17zF2R-0001V4-00
	for <openafs-info@openafs.org>; Wed, 09 Oct 2002 13:30:03 +0200
From: Friedrich Delgado Friedrichs <6delgado@informatik.uni-hamburg.de>
To: openafs-info@openafs.org
Message-ID: <20021009113003.GA5715@taupan.ath.cx>
Reply-To: 6delgado@informatik.uni-hamburg.de
Mail-Followup-To: openafs-info@openafs.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE"
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-Gotcha: For what reason exactly are you reading this header, huh?
X-Disclaimer: This is not an automatically generated header.
X-Sender: 520097860562-0001@t-dialin.net
Subject: [OpenAFS] OpenAFS with MIT Kerberos >= 1.2.6
Sender: openafs-info-admin@openafs.org
Errors-To: openafs-info-admin@openafs.org
X-BeenThere: openafs-info@openafs.org
X-Mailman-Version: 2.0.4
Precedence: bulk
List-Help: <mailto:openafs-info-request@openafs.org?subject=help>
List-Post: <mailto:openafs-info@openafs.org>
List-Subscribe: <https://lists.openafs.org/mailman/listinfo/openafs-info>,
	<mailto:openafs-info-request@openafs.org?subject=subscribe>
List-Id: OpenAFS Info/Discussion <openafs-info.openafs.org>
List-Unsubscribe: <https://lists.openafs.org/mailman/listinfo/openafs-info>,
	<mailto:openafs-info-request@openafs.org?subject=unsubscribe>
List-Archive: <https://lists.openafs.org/pipermail/openafs-info/>
Date: Wed, 9 Oct 2002 13:30:03 +0200
X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/)
X-Spam-Status: No, hits=-9.2 required=5.0
	tests=KNOWN_MAILING_LIST,PGP_SIGNATURE_2,SPAM_PHRASE_01_02,
	      USER_AGENT,USER_AGENT_MUTT
	version=2.41
X-Spam-Level: 


--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hiho!

I'm using OpenAFS 1.2.7 with Kerberos 5 and after upgrading to the 1.2.6
Release of MIT Kerberos yesterday, the afsd started rejecting tokens.

After diving into the Documentation (if all else fails, read the docs :)
i disabled the "new style" of afs tokens in the [appdefaults] section
of the krb5.conf file on all hosts as follows:

[appdefaults]
afs_krb5 =3D {
	MYREALM.DOM =3D {
		afs =3D false
	}
}

"MYREALM.DOM" is of course just an example.

Apparently, Kerberos 1.2.6 is not only able to return the encrypted part
of a Kerberos 5 Ticket as a Token to an "afs/*@*" principal but does so
by default. The user has to disable it manually, if the AFS Server is
unable to use the Token, which seems to be the case with my OpenAFS
installation (1.2.7, compiled from unpatched sources, linked against
MIT Kerberos 5 1.2.5) or my Kerberos Migration Kit (Version 1.3).

Question: Is it/will it be possible to use this feature, rather then disabl=
e it,
with some Release of OpenAFS? Which one? How? I seem to be unable to
find any docs about this, other than the short notice in the MIT Kerberos 5=
 source tree.

It would be nice to get rid of Kerberos 4 and single DES in the long
run.

Kind regards
	Friedel
--=20
	Friedrich Delgado Friedrichs <friedel@nomaden.org>
Laziness led to the invention of the most useful tools.

--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iEYEARECAAYFAj2kEzsACgkQCTmCEtF2zEBVuwCeO2kg+BEfaEGgadqL5wNFwVgK
BOQAniF1RCzJlm4YWh7J7K7tg9lR2Mzd
=u/oo
-----END PGP SIGNATURE-----

--Kj7319i9nmIyA2yE--
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


--7JfCtLOvnd9MIVvH--

--QKdGvSO+nmPlgiQ/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iEUEARECAAYFAj2v6sYACgkQCTmCEtF2zEDr3QCUDogULtLy+T0zGeEZGvjtWp4G
TQCgmVZHH91jrqgVGnhSg4K+iPZeLo8=
=tb6n
-----END PGP SIGNATURE-----

--QKdGvSO+nmPlgiQ/--