[OpenAFS] 'afs' principal

Ken Hornstein kenh@cmf.nrl.navy.mil
Tue, 30 Oct 2007 08:51:01 -0400

>The concepts.  The mechanics I can follow (and have).
>I just think it would be great to have a very clear
>description of what those few steps are all about
>(for my documentation which I intend to make as clear
>as possible for everyone and share).

Well ... this gets back into the overlap between Kerberos and AFS.

Let me ask you this: do you understand how Kerberos works?  Why you need
to create service principals for Kerberized services?  If the answer
to both of these questions is "yes", then the short answer to your
question is due to historical concerns, the service key for AFS is
stored in it's own file and asetkey is used to bridge the gap between
the Kerberos keytab and the AFS KeyFile.

If the answer to the questions I have asked is "no", then the best thing
you should do is read up on how Kerberos authentication works.  That's
not meant to be flippant; it's just that any explanation I could give you
now would be rather short and incomplete.  Once you understand how
Kerberos works, then the purpose of the AFS principal and the KeyFile
should be obvious.