[OpenAFS] Kerberos 5, AFS, and no krb524d

Ken Hornstein kenh@cmf.nrl.navy.mil
Fri, 06 Jun 2003 12:45:31 -0400


>>  o An aklog that just used the k5 ticket would be good, but is there one
>>    yet? This would in efect be a klog, using k5, and the K5 realm must
>>    match the AFS cell. The AFS servers need to be 1.2.9
>
>I wrote one, it takes like 15 minutes to write, and I think Love wrote
>one, but I don't consider mine releasable, and I really think not letting
>a server, a single point of change, do the work, is a bad idea.

I think I respectfully disagree.

Integration of AFS and Kerberos 5 has always been tricky for the novice,
because you need to do extra stuff to make it work (I know the reasons for
this, but maybe I just like to complain :-) ).  I think the closer we
get to AFS being "just another" Kerberos service, the better.  E.g.,
make it use V5 keytabs, no extra crap, etc etc.  I'm starting to see
more and more sites setting up global "No Kerberos V4" policies, so
the closer we get to AFS being full Kerberos 5 (I'm happy with rxkad 2b,
but of course I'd like something better :-) ), the better off we are.

--Ken