[OpenAFS] Kerberos 5, AFS, and no krb524d

Douglas E. Engert deengert@anl.gov
Thu, 05 Jun 2003 15:00:56 -0500


Derrick J Brashear wrote:
> 
> On Thu, 5 Jun 2003, Douglas E. Engert wrote:
> 
> > > I wrote one, it takes like 15 minutes to write, and I think Love wrote
> > > one, but I don't consider mine releasable, and I really think not letting
> > > a server, a single point of change, do the work, is a bad idea.
> >
> > What server?
> 
> krb524d.
> 
> > Can't the client, get a k5 ticket for afs/<call>@<realm>
> > then recompose the k5 ticket into a token? i.e. the encrypted part
> 
> Yes, of course it can. What happens if that composition changes? Why
> change 5000 aklogs when you can change one krb524d.

Thats fine too, if you have the install base. 

But the oroginal problem as that the user could not get his admins to run 
krb524d, and everyone is having problems finding an aklog that runs for them.

So in the long run if you can avoid using the krb524d all the better.

> 
> > of the ticket should not need to be changed. So there is no server.
> > Or am I missing something here?
> >
> > (P.S. The gssklogd runs on each AFS db server, so the client will try
> > each db server listed for the cell, so there is no single point
> > of failure. Likewise multiple krb524d servers can be run.)
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444