[OpenAFS] Using OpenAFS with existing Kerberos servers
Derek Atkins
warlord@MIT.EDU
01 Sep 2003 12:15:03 -0400
other things to keep in mind:
1) the afs/cell@REALM key must be of enctype des-cbc-XXX (you cannot
use a 3des key)
2) you need to 'ktadd' (from kadmin) to create a keytab (and again you
need to specify 1-des)
3) You need to 'asetkey' and make sure you set the correct kvno.
-derek
Derrick J Brashear <shadow@dementia.org> writes:
> On Mon, 1 Sep 2003, David Howells wrote:
>
> >
> > > Yes, do a search for 'krb5 migration kit',
> >
> > Seems that if you're not a US denizen, then your head falls off and the US
> > government breathes down your neck if you download it. :-)
>
> The same thing is theoretically true of MIT krb5, and yet I bet you're not
> using Heimdal;-)
>
> > 16 31 rogon openafs AFS (RX) FS Request: fetch-status (132)
> > 17 31 openafs rogon RX CHALLENGE Seq: 0 Call: 0 Source Por
> > 18 31 rogon openafs RX RESPONSE Seq: 0 Call: 0 Source Port
> > 19 31 openafs rogon RX ACK Seq: 0 Call: 1 Source Port: afs
> > 20 32 openafs rogon RX ABORT Seq: 0 Call: 0 Source Port: a
>
> []
>
> > But I'm not sure whether aklog should result in a ticket winding up in the
> > Krb4 cache as well.
>
> Nor am I, actually. Assuming you're using a modern enough Kerberos and the
> right options (which I believe are default for MIT and need to be
> specified for Heimdal) krb524 returns not a krb4 ticket but a stripped
> krb5 ticket for AFS; In either case, it gets crammed into the kernel and
> the right thing should just happen.
>
> What is the output of "tokens" after you run aklog? For that matter, what
> does aklog -d (any other args you gave)
> say?
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available