[OpenAFS] krb5 migration questions
David Botsch
dwb7@ccmr.cornell.edu
Wed, 11 Jun 2003 13:29:36 -0400
Two questions on krb5 migration, which we are in the process of testing (btw, I
am writing up what we do and will submit it for wiki, etc when we are done).
The first question is on this note in the wiki:
if using krb5 1.2.6 or later from MIT, add to krb5.conf on krb524d host to
continue using old-style krb4 ticket derived tokens:
[appdefaults]
afs_krbt = {
REALM.NAME = {
afs=false
afs/cell.name = false
}
}
Why, exactly, is this necessary? And, are we referring to aklog type tokens
here, etc (Macs, for example, initially get tokens with aklog'ing on krb4
tickets).
Next:
It is mentioned many times that the afs principle in krb5 should be created
with -e des-cbc-crc:v4
Why not des-cbc-crc:afs3 ?
And, I have noted that when doing:
kadmin: addprinc -randkey -e des-cbc-crc:v4 afs
kadmin: getprinc afs
(snip)
Key: vno 1, DES cbc mode with CRC-32, no salt
(snip)
Ok, so, no salt? Is this right? Is this a bug in krb5 version that we have?
Examining a user imported with the krb5 migration kit:
Key: vno 0, DES cbc mode with CRC-32, AFS version 3
On the test krb5 server, I can still get tokens (from Linux, at least) using klog and fakeka.
So, maybe nothing is wrong. Or maybe this will cause a problem in the future?
Problems with other OSes maybe?
Thanks!
--
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************