[OpenAFS] When Using Kerberos5 is klog necessary?

Russ Allbery rra@stanford.edu
Thu, 01 Jan 2004 10:43:45 -0800

Jeffrey Altman <jaltman@columbia.edu> writes:

> Assuming that kinit was to use the obtained TGT to produce AFS tokens
> for multiple cells, how would you want the configuration information to
> be specified?  Would this be placed in the krb5.conf file or would this
> go into a new user specific profile file stored in each home directory?

We put it into krb5.conf.  The relevant sections of our krb5.conf look
like this:

    krb4_get_tickets      = false
    krb5_get_tickets      = true

    stanford.edu = {
        aklog_path        = /usr/local/bin/aklog
        krb4_get_tickets  = true
        krb4_convert      = false
        krb_run_aklog     = true

Some of this may rely on the extensions to the configuration API that
Booker Bense wrote for us.  Note that you can configure these things
per-realm, so you can adjust to whatever variation of work you need in
different realms.

We're still using independent, synchronized K4 and K5 realms, so our kinit
is configured to separately obtain K4 and K5 tickets and then run a
standard K4 aklog.  But as soon as we switch over to using the various
fakeka-related stuff, we can turn off krb4_get_tickets and switch aklog

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>