[OpenAFS] kaserver vs. Kerberos IV
Derek Atkins
warlord@MIT.EDU
26 Oct 2002 16:38:47 -0400
"Aaron J. Angel" <aangel@myrealbox.com> writes:
> Derek Atkins wrote:
> | Well, at this point I would suggest a "real Kerberos 5" server as
> | opposed to a v4 server. Having said that, the real question is
> | the database migration from kaserver to a real KDC, and that
> | will depend on which KDC implementation you use and whether you want
> | to "start over" or perform a "live" cutover..
>
> I was considering that, but I'm not as familiar with KRB5 as I am with
> KRB4, and last time I tried to set that up I failed miserably, heh.
It's really Not That Hard. The key is to make sure you only have a
des-cbc-crc key in the KDC, and that the key/kvno in the KDC matches
the key/kvno in the AFS KeyFile.
> What is involed with migrating the database? I don't really have that
> much to migrate, so I could start over fairly easily. I suppose I'll be
> using Heimdal, if I opt for KRB5.
If you opt for Heimdal then you should be able to just migrate the
database wholesale (ISTR Heimdal as a KADB importer).
> Is there anything required as far as OpenAFS goes to make it use the KDC
> short of stopping kaserver? And do I need any additional principals?
Just make sure your keys match, then you can use kinit/aklog (or afslog).
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available