[OpenAFS] Kerberos 5, AFS, and no krb524d

Christian Ospelkaus christian@core-coutainville.org
Tue, 10 Jun 2003 11:47:37 +0200

> Yes, MIT Kerberos 1.2.4 on Debian.
> Both of the above works fine when connecting from Linux machines. I can
> mount the user's directory, work with rights etc.

I have found the following to work really nicely under Debian with XP / 2K 
clients: I use the heimdal kdc packages for debian. You can compile Heimdal 
with support for KA and V4, and this is the case with these packages. The 
Windows client speeks plain V4, and heimdal can answer such requests. That 
allows you to transparently obtain tokens when logging into 2K / XP. I 
followed the instructions at:


There are some things to observe, however: 

Before you follow this procedure, make sure your krb5.conf is setup as 
documented in the wiki, in particular before creating any pricipals. 

You need to make sure you have both the afs/cell@REALM and afs@REALM 
principals. I did this by doing a 

dump -d <filename>

in kadmin, after creating the afs/cell@REALM principal and after removing 
3des, then editing that file, removing all lines except the afs/cell@REALM 
line, then deleting the /cell in the one remaining line and doing 

merge <filename> 

in kadmin. It took me some time until I noticed that the ktutil copy command 
will never create a new KeyFile - it seems it can only add the key to an 
existing KeyFile.

Note that I still use the pam modules 


from the MIT distribution; these only require the MIT library packages to be 
installed, which nicely coexist with heimdal stuff.

This seems to be the best configuration for me, and it works out of the box 
with the precompiled packages, giving you a krb5 kdc with backwards 
compatibility for klog and the W2K / XP client...

Best regards,