[OpenAFS] Definitive Krb5 documentation desired

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
22 Apr 2003 03:56:57 -0400


On Tue, 2003-04-22 at 03:27, Andreas Haupt wrote:
> On Fri, 18 Apr 2003, Derrick J Brashear wrote:
> > you can switch to a heimdal kdc and ignore all your clients except
> > kpasswd, since otherwise they all just keep working. that includes
> > whatever login solution you have now. no pam.
> 
> I think that's not correct. The kaserver emulation in the heimdal kdc does
> not support the ka_mainencance_service. This means you can throw away all
> scripts which used it (e.g. with kas), and replace it with kadmin calls.

That's correct; AFS's model of replicated updates isn't compatible with
Kerberos's (the client connects to and updates all db servers, whereas
with kerberos the client should update the master and the master updates
the slaves), and rather than come up with a hacky way to simulate the
behavior kas clients expect Heimdal only supports the authentication
parts of the kas API.

-- 
brandon s allbery [openafs/solaris/japh/freebsd] allbery@kf8nh.apk.net
system administrator [linux/heimdal/too many hats] allbery@ece.cmu.edu
electrical and computer engineering                              KF8NH
carnegie mellon university  [better check the oblivious first -ke6sls]