[OpenAFS] Re: AFS and Windows PAC data still and issue?
Douglas E. Engert
deengert@anl.gov
Fri, 27 Jul 2007 09:00:35 -0500
John W. Sopko Jr. wrote:
> I have been testing AFS using Windows 2003 SP2 as the KDC.
> Things seem to be working fine with OpenAFS 1.4.4 linux
> clients using kinit/aklog and Red Hat pam_krb5afs module.
> Also things seem to work fine with the Windows 1.5.21 afs
> client and kfw 3.2 on Windows XP clients.
>
> Is the PAC data still an issue with the latest OpenAFS release?
> Is the issue the PAC data that is put in the afs/cell.name
> service principal breaks older clients? Thanks for any input.
Could still be an issue with older clients, that had a limit around 1k?
OpenAFS added code to allow 12K, but I also saw a Microsoft article
that raised their limit to 14K!
But since AFS does not need the PAC you could tell AD 2003 to not send it.
The original patch was:
http://support.microsoft.com/kb/832572
It adds another bit to the userAccountControl
http://support.microsoft.com/kb/305144
You can get your AD admin to set this bit in the afs service account.
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444