[OpenAFS] 1.2.10 without krb524
Chris McClimans
openafs-info@mcclimans.net
Mon, 25 Aug 2003 09:42:13 -0500
I have two REALMS:
TTU.EDU
CS.TTU.EDU
I have a keytab for afs/cs.ttu.edu in both REALMS and have added it to
the KeyFile on all my afs servers.
I do not control the TTU.EDU servers and therefore control of the
default location for krb524 for that realm.
I have setup krb524 on a local server using -k (to use keyfile instead
of master database). However I read that 1.2.10 has
the ability to do straight krb5 ticket/token conversion without krb524.
I'd prefer if username@TTU.EDU and username@CS.TTU.EDU were both
'username' in the pts database. Not to mention you can't specificy
UID's to cross realm entities (ie pts entries like username@ttu.edu).
One path would be to figure out how to get rid of krb524 alltogether,
the other would be to make sure the krb5.conf contains the following:
[appdefaults]
afs_krb5 = {
CS.TTU.EDU = {
afs = false
afs/cs.ttu.edu = true
}
TTU.EDU = {
afs = false
afs/cs.ttu.edu = true
krb524_server=oak.cs.ttu.edu
# we could alternatively do _KRB524 DNS entries
# _KRB524.TTU.EDU SRV oak.cs.ttu.edu, but that would
mean requesting TTU.EDU point there SRV entry to me, not likely.
}
}
Since I would have to keep this up to date on all clients, I'd prefer
to get rid of krb524. Anyone have pointers to how to accomplish this on
the unix side? I saw a couple posts about it working on the windows
side.
--
Chris McClimans / Director of Undergraduate Labs / Texas Tech Computer
Science
http://www.cs.ttu.edu