[OpenAFS] Heimdal & OpenAFS 1.7.4: Difficult user experience

Lars Schimmer l.schimmer@cgv.tugraz.at
Thu, 26 Jan 2012 20:59:57 +0100


First: We did make a wiki page with all the needed software (links),=20
screenshots, values to enter, path,... for our users. In case they want=20
the software, we give them th elink to the wiki page and 99% of users=20
could do it as we has written it down.
But we do use OpenAFS 1.7.4 and still MIT KfW. Not yet needed to change=20
over to Heimdal. Oh, and we provide our own krb5.conf file in our wiki=20
for users to copy into the path (windows admins do know how to work with=20

> (1) Is it really true that OpenAFS tells people to download software
>      that doesn't work without manually fiddling with configuration
>      files?  Or did I do something wrong with the install?

No install can suite all users needs. In our case we cannot provide DNS=20
entries for OpenAFS and so default install does not work for us.
On providing installers you must find the most useable configuration.

> (2) Instead, could we have the Heimdal installer default
>      "allow_weak_crypto =3D true" ?

Why should it? It should always prefer the more secure system.

> (3) If we're stuck with (1) and can't do (2), would anyone like me to
>      write up the installation sequence required on the Wiki?  And mayb=
>      the download page could point to it so poor lusers could find it?
>      And maybe for MacOSX too, with also requires
>      a manual fiddling with /etc/krb5.conf after installation.
> (4) Is there a plan to finally wean AFS servers off des-cbc-crc ?

Already in work, but needs some more work as it needs some protocol=20
changes and a new standard for it.

> Thanks,
> John

Lars Schimmer
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723