[OpenAFS-win32-devel] AFS Server on Windows now works -
pleasetestnew builds
Douglas E. Engert
deengert@anl.gov
Fri, 02 Apr 2004 13:00:17 -0600
> Jeffrey Altman wrote:
>
> Douglas E. Engert wrote:
>
> > Well either all applications that have been expecting to use small tickets,
> > like AFS, kx509 and any udp apps will need to be able to handle large tickets.
> >
> >
> As long as the tickets do not exceed 64K - 256 OpenAFS
> will be able to handle them.
But you said:
* Increased the size of the maximum ticket size stored in a token
from 344 bytes to 4096.
Are you changing the limits on this too?
>
> MIT Kerberos and Heimdal both support TCP for ticket retrieval
> and the aklog which will be shipping with OpenAFS will support
> large tickets. This should no longer be an issue.
>
> > I did just after writing the first note.
> > [grand.central.org #3864] AutoReply: src/rxkad/ticket5.c uninitilized return variable
> >
> Thank you.
>
> >
> > I did not meat to imply you needed to fix this, but that if you do try
> > and use a k5 ticket directly it best be des-cbc-crc or the AFS servers may
> > reject it.
> >
> It is documented somewhere that you must use DES-CBC-CRC for
> your AFS ticket whether you are using the Kerberos 5 kvno
> stuff or not.
But what I am seeing, is that a W2003 AD may issue a ticket with DES-CBC-MD5,
whereas a W2000 AD in the same domain will issue it with DES-CBC-CRC.
So if one of these is uses directly, it will not work as the server will not
accept the DES-CBC-MD5.
(I just put up a krb5-1.3.2 KDC today, and I am seeing something similar
with krb524d when the kinit was done against the W2003 AD vs the W2000 AD.
I am still looking at this situation. this ay be the same problem, as the
new krb524d may be retaining the DES-CRC-MD5 for the converted k4 ticket.)
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444