[OpenAFS] Kerberos 5, AFS, and no krb524d

Ken Hornstein kenh@cmf.nrl.navy.mil
Fri, 06 Jun 2003 15:40:39 -0400


>No, it's part of a krb5 ticket: the encrypted part. If it were a krb5
>ticket you could krb5_get_credentials something and stuff it into the
>kernel (probably with a header) and be done.

Ah, okay, I see what you mean.  But: so what?  It's not an AP_REQ.
Actually ... I guess I'm missing something here.  It looks like to me,
all that the V4 aklog ever did was stuff a CREDENTIALS structure in the
kernel, which is the V4 encrypted ticket plus some stuff in the clear
(which the cache manager ignores).  It's not a V4 AP_REQ.  So, what's
the real difference?  In the V5 world, you don't get a byte stream
output from krb5_get_credentials(); you're just supposed to get an
AP_REQ.  So the only analogous thing _is_ just the encrypted V5
ticket.

--Ken