[OpenAFS] Migration to Kerberos 5

Jason Edgecombe jason@rampaginggeek.com
Thu, 02 Apr 2009 12:38:38 -0400


Gedaliah Wolosh wrote:
>
>
> On Thu, the 8th of Nisan, 5769 (04/2/2009) Wheeler, JF (Jonathan) wrote:
>
>> I have been studying the documentation for migrating from "Kerberos 4"
>> to Kerberos 5 for AFS as written by Ken Hornstein.  The version of the
>> document that I have is dated 1998 so is a little old.  Is there a
>> newer version anywhere ?  If not, can someone please answer the
>> following question: the document suggests that the Kerberos 5 package
>> needs to be rebuilt from source to allow the addition of patches.
>> This is not something we normally do as we install almost all our
>> software via Linux RPMs.  Does this still need to be done or are the
>> relevant programs now available in RPMs somewhere ?  For example, I
>> cannot find program asetkey.
>
> Most of Ken's package was incorporated either into MIT krb5 or openafs.
> For example, asetkey is found in the openafs-krb5 rpm. fakeka is in the
> current MIT krb5 but needs to be enabled when built. I don't think it is
> built by default and may not be enabled in the RPM you are using.
>
> The one orphaned piece from Ken's package you may need if you use MIT is
> afs2krb5. This will convert your KA database to krb5 database. It is not
> really maintained anymore and is a bit of a pain to build but you only
> need to use it once. If you go with heimdal you don't need it at all.
>
If you can tolerate resetting everyone's password or use some glue code
during the transition, then you don't need afs2krb5.

Jason