[OpenAFS] Migration to Kerberos 5

Jason Edgecombe jason@rampaginggeek.com
Thu, 02 Apr 2009 12:38:38 -0400

Gedaliah Wolosh wrote:
> On Thu, the 8th of Nisan, 5769 (04/2/2009) Wheeler, JF (Jonathan) wrote:
>> I have been studying the documentation for migrating from "Kerberos 4"
>> to Kerberos 5 for AFS as written by Ken Hornstein.  The version of the
>> document that I have is dated 1998 so is a little old.  Is there a
>> newer version anywhere ?  If not, can someone please answer the
>> following question: the document suggests that the Kerberos 5 package
>> needs to be rebuilt from source to allow the addition of patches.
>> This is not something we normally do as we install almost all our
>> software via Linux RPMs.  Does this still need to be done or are the
>> relevant programs now available in RPMs somewhere ?  For example, I
>> cannot find program asetkey.
> Most of Ken's package was incorporated either into MIT krb5 or openafs.
> For example, asetkey is found in the openafs-krb5 rpm. fakeka is in the
> current MIT krb5 but needs to be enabled when built. I don't think it is
> built by default and may not be enabled in the RPM you are using.
> The one orphaned piece from Ken's package you may need if you use MIT is
> afs2krb5. This will convert your KA database to krb5 database. It is not
> really maintained anymore and is a bit of a pain to build but you only
> need to use it once. If you go with heimdal you don't need it at all.
If you can tolerate resetting everyone's password or use some glue code
during the transition, then you don't need afs2krb5.