[OpenAFS] Kerberos 5, AFS, and no krb524d

Derrick J Brashear shadow@dementia.org
Thu, 5 Jun 2003 15:54:30 -0400 (EDT)


On Thu, 5 Jun 2003, Douglas E. Engert wrote:

> > I wrote one, it takes like 15 minutes to write, and I think Love wrote
> > one, but I don't consider mine releasable, and I really think not letting
> > a server, a single point of change, do the work, is a bad idea.
>
> What server?

krb524d.

> Can't the client, get a k5 ticket for afs/<call>@<realm>
> then recompose the k5 ticket into a token? i.e. the encrypted part

Yes, of course it can. What happens if that composition changes? Why
change 5000 aklogs when you can change one krb524d.

> of the ticket should not need to be changed. So there is no server.
> Or am I missing something here?
>
> (P.S. The gssklogd runs on each AFS db server, so the client will try
> each db server listed for the cell, so there is no single point
> of failure. Likewise multiple krb524d servers can be run.)