[OpenAFS] Kerberos 5, AFS, and no krb524d
Douglas E. Engert
deengert@anl.gov
Thu, 05 Jun 2003 14:48:50 -0500
Derrick J Brashear wrote:
>
> On Thu, 5 Jun 2003, Douglas E. Engert wrote:
>
> > If you Kerberos admins will not run the krb524d (and I don't know
> > why not) there are some other options:
> >
> > o An aklog that just used the k5 ticket would be good, but is there one
> > yet? This would in efect be a klog, using k5, and the K5 realm must
> > match the AFS cell. The AFS servers need to be 1.2.9
>
> I wrote one, it takes like 15 minutes to write, and I think Love wrote
> one, but I don't consider mine releasable, and I really think not letting
> a server, a single point of change, do the work, is a bad idea.
What server? Can't the client, get a k5 ticket for afs/<call>@<realm>
then recompose the k5 ticket into a token? i.e. the encrypted part
of the ticket should not need to be changed. So there is no server.
Or am I missing something here?
(P.S. The gssklogd runs on each AFS db server, so the client will try
each db server listed for the cell, so there is no single point
of failure. Likewise multiple krb524d servers can be run.)
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444