[OpenAFS] Kerberos 5, AFS, and no krb524d
Derek Atkins
warlord@MIT.EDU
05 Jun 2003 20:01:03 -0400
Nicholas Henke <henken@seas.upenn.edu> writes:
> On Thu, 2003-06-05 at 15:09, Neulinger, Nathan wrote:
>
> > Do the key and knvno that you added to that keytab match the key in the
> > KeyFile on the afs servers? Migration kit should have docs on how to do
> > this.
>
> I don't think so. ... Just for my sanity, what keys need to be served
> for OpenAFS in krb524d? The admin user (
> afsadmin/roughneck.liniac.upenn.edu in my case ), or just the afs user
> (afs/roughneck.liniac.upenn.edu ) ?
You only need afs/<cell> to be served by krb524d. You don't need
anything else.
> Given that the keys are not the same could pose a bit of a problem eh ?
If what's in your keytab, KeyFile, and KDC don't match you will be in
deep doodoo.
> I am a bit confused as to what keys need to go where. Do the keys for
> krb524d need to be the single des ( -e des-cbc-crc:v4 ) keys, or the
> 3des keys ?
afs/<cell>@REALM needs to be a 1-des key (des-cbc-crc:v4). It doesn't
matter what any other key is. Everything else is just a regular kerberos
user.
> Nic
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available