[OpenAFS] Kerberos 5, AFS, and no krb524d

Nicholas Henke henken@seas.upenn.edu
05 Jun 2003 15:02:37 -0400


On Thu, 2003-06-05 at 14:42, Ken Hornstein wrote:
> 
> In theory, if you're running a new enough OpenAFS (1.2.9 or greater),
> you could modify aklog to simply store the V5 Kerberos ticket and
> single-DES session key in the credential cache, instead of going through
> the 524 translator.  That falls under the "advanced topics" heading, and
> if you're having trouble getting krb524d running then it may not be
> for you.

I am running the latest version of OpenAFS -- 1.2.9. How sould I do this
-- or has someone done this already ?

> 
> One thing occurs to me ... you said you tried to get krb524d working with
> a keytab.  You _do_ know that once you extract the key into the keytab,
> you need to then store that new key on the AFS fileservers, right?

Let me explain that a bit further:

Penn has a kerberos system, and I am able to addprinc, delprinc, etc on
that. The server that is the kdc does not have a krb524d running. Now,
on the machine that I am attempting to setup OpenAFS on, I used ktadd to
add the keys for afs & afsadmin to /etc/krb5.keytab, and started
'krb524d -k' on the OpenAFS server. I modified krb5.conf to tell it that
there is now a krb524_server and a new kdc on the OpenAFS server. I then
used kinit to get a ticket for afsadmin, and then tried using aklog --
but aklog fails.
-- 
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania