[OpenAFS] Kerberos 5, AFS, and no krb524d

Derrick J Brashear shadow@dementia.org
Fri, 6 Jun 2003 15:47:17 -0400 (EDT)


On Fri, 6 Jun 2003, Ken Hornstein wrote:

> Ah, okay, I see what you mean.  But: so what?  It's not an AP_REQ.
> Actually ... I guess I'm missing something here.  It looks like to me,
> all that the V4 aklog ever did was stuff a CREDENTIALS structure in the
> kernel, which is the V4 encrypted ticket plus some stuff in the clear

Right. It "knew" the format of a token, and "knew" the format of the krb4
ticket, and reassembled some bits (and had some leftovers) and did the
right thing. But we never claimed to be using krb4 tickets.

> (which the cache manager ignores).  It's not a V4 AP_REQ.  So, what's
> the real difference?  In the V5 world, you don't get a byte stream
> output from krb5_get_credentials(); you're just supposed to get an
> AP_REQ.  So the only analogous thing _is_ just the encrypted V5
> ticket.

You're comparing a smaller, older apple to a huge granny smith. I'm
telling you the thing in your other hand is a papaya.