[OpenAFS] Support for Kerberos V

Jaap Winius jwinius@umrk.nl
Fri, 06 Nov 2009 18:03:15 +0100

Quoting Simon Wilkinson <sxw@inf.ed.ac.uk>:

>> What's the state of support for Kerberos V in the current version  =20
>> of OpenAFS? For instance, is pre-authentication supported yet?
> You've been able to run OpenAFS with the REQUIRES_PREAUTH flag set on
> the afs/<cell>@REALM principal for at least the last 5 years. You will
> encounter problems if your realm doesn't have REQUIRES_PREAUTH set on
> its krbtgt service, or if you accept cross-realm tickets from realms
> which don't have preauth turned on. ...

Okay, that sounds great! I'm currently working from a book, =20
"Distributed Services with OpenAFS" by Milicio & Gehrke (2007), in =20
which Kerberos V, OpenLDAP and OpenAFS are installed on minimal Debian =20
servers. I'm using Debian lenny, although I think the authors used etch.

In the book, the reader is instructed to install and configure the KDC =20
with the "nopreauth" Kerberos IV compatibility setting selected, which =20
also activates the krb524 process. It is explained that this is =20
necessary for AFS.

I had finished configuring Kerberos V and OpenLDAP and was on the =20
verge of installing OpenAFS before I decided to go back and produce =20
some web pages about what I had discovered so far. I had expected to =20
encounter some differences between the versions of the software that =20
the book is based on and what I'm using now, which often complicates =20
matters, but it's good to know that preauth is now supported!

Are there any other books or websites that you can recommend?