[OpenAFS] aklog and aklog -524

vladimir konrad v.konrad@lse.ac.uk
Tue, 14 Nov 2006 15:36:50 +0000

i am in the process of upgrading clients from debian sarge to tebian
etch. the servers run debian woody:

what is running where:
  servers:	openafs 1.2.11, kerberos 5 with krb524 daemon running
  sarge client:	aklog from opeaafs-krb5 1.3
  etch client:	aklog from openafs-krb5 1.4.2-2

under sarge, aklog works without any glitch, under etch - it only works
with option -524 (this has to do something with kerberos ticket
conversion from version 5 to version 4).

when doing aklog from sarge, the kerberos server log shows two requests
for principals:

when doing the same from etch with -524 option, the log shows only one
request for principal:

there is only one principal in the kerberos database for afs:

i would like to have etch to do aklog without -524 option against our
existing servers (this way i would not have to hack the pam module). i
have spoken to the debian developers and the reply was following:

"It's actually the AFS configuration that matters, not the Kerberos
configuration.  The AFS servers need to have the DES key of the K5
principal in their KeyFiles and, if the Kerberos realm is different than
the AFS cell, have a krb.conf file in the server configuration directory
listing the Kerberos realm."

to the best of my knowledge the kerberos 5 principal for afs is des.
my guess is that i am supposed to have
the afs/domain-name@kerberos-realm principal and not the
afs@kerberos-realm principal. is this the case or there is something
else in play here?