[OpenAFS] Kerberos 5, AFS, and no krb524d

[Nicholas Henke]

On Fri, 2003-06-06 at 11:07, Douglas E. Engert wrote:
> Nicholas Henke wrote:
> > 
> > On Thu, 2003-06-05 at 16:29, Douglas E. Engert wrote:
> > 
> > > I will let someone else answer this, as modified krb524d we use uses one key
> > > for the K5 ticket to decrypt it, then reads the AFS keyfile to get the key
> > > in which to encrypt the AFS token, thus avoidning many of these key sync issues.
> > > like enctypes or kvno don't have to match.
> > 
> > Is the modified krb524d something that would be usefull to me -- or
> > possibly others ?
> 
> Yes they could be. We are running krb5-1.2.8  See 
> ftp://achilles.ctd.anl.gov/pub/kerberos.v5/afs524.notes
> ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k5128.cdiffp.20030606
> ftp://achilles.ctd.anl.gov/pub/kerberos.v5/ak5log.20030606.tar
> 
> Older versions are under ftp://achilles.ctd.anl.gov/pub/kerberos.v5/old/
> 
> Look at the krb524* changes listed in the k5128 diff file above. 
> These changes where originally written when we had DFS as well as AFS,
> and we where using trying to use the Transarc AFS/DFS Migration.
> Because of the way it worked, the changes and the ak5log program
> where using principals of afsx/<cell>@<realm>. If you want to
> use your current aklog, you could use the afs/<cell>@<realm> 
> You will need to change the compare in conv_princ.c from "afsx" to "afs"
> (But I have not tried this.) 
> 
> You need to compile the Kerberos with -DAFS524 
> 
> These changes where originally submitted to MIT in 1996. 
> Maybe it is time to submit them again? 

Do the changes in k5128 need to be used for the ak5log to work, or will
ak5log work on it's own with a regular K5 setup ?

Nic
-- 
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania