[OpenAFS] Kerberos 5, AFS, and no krb524d
Nicholas Henke
henken@seas.upenn.edu
09 Jun 2003 11:31:01 -0400
On Fri, 2003-06-06 at 11:07, Douglas E. Engert wrote:
> Nicholas Henke wrote:
> >
> > On Thu, 2003-06-05 at 16:29, Douglas E. Engert wrote:
> >
> > > I will let someone else answer this, as modified krb524d we use uses one key
> > > for the K5 ticket to decrypt it, then reads the AFS keyfile to get the key
> > > in which to encrypt the AFS token, thus avoidning many of these key sync issues.
> > > like enctypes or kvno don't have to match.
> >
> > Is the modified krb524d something that would be usefull to me -- or
> > possibly others ?
>
> Yes they could be. We are running krb5-1.2.8 See
> ftp://achilles.ctd.anl.gov/pub/kerberos.v5/afs524.notes
> ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5128.cdiffp.20030606
> ftp://achilles.ctd.anl.gov/pub/kerberos.v5/ak5log.20030606.tar
>
> Older versions are under ftp://achilles.ctd.anl.gov/pub/kerberos.v5/old/
>
> Look at the krb524* changes listed in the k5128 diff file above.
> These changes where originally written when we had DFS as well as AFS,
> and we where using trying to use the Transarc AFS/DFS Migration.
> Because of the way it worked, the changes and the ak5log program
> where using principals of afsx/<cell>@<realm>. If you want to
> use your current aklog, you could use the afs/<cell>@<realm>
> You will need to change the compare in conv_princ.c from "afsx" to "afs"
> (But I have not tried this.)
>
> You need to compile the Kerberos with -DAFS524
>
> These changes where originally submitted to MIT in 1996.
> Maybe it is time to submit them again?
Do the changes in k5128 need to be used for the ak5log to work, or will
ak5log work on it's own with a regular K5 setup ?
Nic
--
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania