[OpenAFS] OpenAFS 1.6.5 on OSX
Sun, 26 Apr 2015 16:53:30 +0200
On Apr 26, 2015, at 3:13 PM, Jeffrey Altman wrote:
> It means that the Kerberos library cannot find the KDCs for your realm
> via DNS SRV records or local configuration.
I'm no longer running a real DNS. Only DNSMasq. It's been enough
so far. But as you can see, i've setup the local config.
> I believe the correct system path for krb5.conf on OSX is
Not on my machine. /etc/krb5.conf existed before I started this
and init didn't work. So I added some entries (like default_realm
etc) to /etc/krb5.conf and then THAT worked as it was supposed
> Do you really want proxiable tickets?
I used to. I took these configs from my server, which in turn
inherited a lot from my REAL KDC when that was running a couple
of years ago. I haven't reviewed all additions=85 Maybe should
remove that, thanx.
>> dns_lookup_kdc =3D false
>> dns_lookup_realm =3D false
> DNS lookups are disabled.
Yes. On purpose (this time! :). That's why I need to specify
it in the file (further down).
>> allow_weak_crypto =3D true
> This is specified twice.
> Note that OSX Yosemite doesn't support weak
> crypto under any circumstances and you must use non-DES keys for
> Kerberos to address OPENAFS-SA-2013-003
I noticed that on the Linux AFS clients as well. That what took
the Linux side(s) so long to work.
> Only OpenAFS 1.6.5 or later can be used with non-DES keys for OpenAFS.
I AM using 1.6.5=85 And 1.6.10 on the server. But I STILL couldn't
get it to work with any stronger. I had to use:
kadmin.local -q "ank -randkey afs"
kadmin.local -q "ktadd -e des-cbc-crc:v4 -k /etc/krb5.keytab.afs =
to get it to work at all...
>> krb4_convert =3D true
>> krb4_get_tickets =3D false
> kerberos 4 is dead.
I know. But initially I figured it couldn't reach the krb524 server
so I tried to enable K4. Didn't work either, and eventually I figured
that OpenAFS wouldn't include a Krb4-only aklog. Did you?
I love deadlines. I love the whooshing noise they
make as they go by.
- Douglas Adams