[OpenAFS] krb5 inclusion in client build = NO kaserver auth whatsoever?

Douglas E. Engert deengert@anl.gov
Mon, 03 Dec 2007 09:53:41 -0600


Derrick Brashear wrote:
> 
> 
> On Dec 3, 2007 10:16 AM, Jeff Blaine <jblaine@kickflop.net 
> <mailto:jblaine@kickflop.net>> wrote:
> 
>     I'm trying to deduce the depth of effect from building
>     OpenAFS client tarballs with '--with-krb5-conf=...'
> 
>     During our transition to krb5 auth, I'd like our clients
>     to have an OpenAFS allowing kaserver auth, but I obviously
>     want aklog in place for those willing to test krb5 + aklog.
> 
>     Can anyone save me some testing time and comment on the
>     fesibility of that?
> 
> 
> 3 choices:
> 
> krb5kdc with fakeka (if mit) or with kaserver-compat enabled (if 
> heimdal) in place of kaserver
> 
> or
> 
> sync the key key between the kaserver and the krb5kdc
> 
> or
> 
> different realm name for krb5 and kaserver, and 2 keys (with different 
> kvnos) on all the afs servers.

Realm names can be the same. Just make sure kvnos are different.


> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444