[OpenAFS] Problem with klog
Douglas E. Engert
deengert@anl.gov
Fri, 29 May 2009 10:07:46 -0500
Steven Jenkins wrote:
>>
>
> Note that using klog + kaserver is one option, and that using kadmin
> and aklog is a different option -- you can't mix the two.
>
Actually you can in some situations, and is one conversion strategy,
which we have used.
It requires the AFS server's KeyFile to have two keys one from the
kaserver and a second key from the K5 KDC with a different kvno. The
user names have to be equivalent, or exist in only one or the other.
In ours case the K5 realm name matches the cell name, making it simpler.
Users could then use either klog or aklog if they had principals
in both the kaserver and the K5 realm. But the passwords are not
synced. As users convert to K5 the kaserver entries can be deleted.
> As you discovered via googling, it's recommended that you use an
> external Kerberos infrastructure rather than klog + kaserver.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444