[OpenAFS] Support for Kerberos V
Fri, 06 Nov 2009 18:03:15 +0100
Quoting Simon Wilkinson <email@example.com>:
>> What's the state of support for Kerberos V in the current version =20
>> of OpenAFS? For instance, is pre-authentication supported yet?
> You've been able to run OpenAFS with the REQUIRES_PREAUTH flag set on
> the afs/<cell>@REALM principal for at least the last 5 years. You will
> encounter problems if your realm doesn't have REQUIRES_PREAUTH set on
> its krbtgt service, or if you accept cross-realm tickets from realms
> which don't have preauth turned on. ...
Okay, that sounds great! I'm currently working from a book, =20
"Distributed Services with OpenAFS" by Milicio & Gehrke (2007), in =20
which Kerberos V, OpenLDAP and OpenAFS are installed on minimal Debian =20
servers. I'm using Debian lenny, although I think the authors used etch.
In the book, the reader is instructed to install and configure the KDC =20
with the "nopreauth" Kerberos IV compatibility setting selected, which =20
also activates the krb524 process. It is explained that this is =20
necessary for AFS.
I had finished configuring Kerberos V and OpenLDAP and was on the =20
verge of installing OpenAFS before I decided to go back and produce =20
some web pages about what I had discovered so far. I had expected to =20
encounter some differences between the versions of the software that =20
the book is based on and what I'm using now, which often complicates =20
matters, but it's good to know that preauth is now supported!
Are there any other books or websites that you can recommend?