afs-krb5 integration

Klaas Hagemann kerberos at northsailor.de
Fri Oct 18 03:29:53 EDT 2002


Hi Cesar,

thanks for your quick help.
I supposed, i woould have searched a long time for this bug.....
But with your patch, the krb524d works good together with openafs?

Thanks
Klaas
----- Original Message ----- 
From: "Cesar Garcia" <Cesar.Garcia at morganstanley.com>
To: "Ken Hornstein" <kenh at cmf.nrl.navy.mil>
Cc: "Cesar Garcia" <Cesar.Garcia at morganstanley.com>; <kerberos at mit.edu>
Sent: Friday, October 18, 2002 6:22 AM
Subject: Re: afs-krb5 integration 


> Not sure - I'm not exactly an AFS subject matter expert and I haven't
> seen the AFS code that implements the key retrieval (from KeyFile)
> and token validation.
> 
> When I first started looking at MIT's krb524, this was the first problem
> we saw. [the 524 client setting the lifetimes incorrectly was the other,
> as apparently the resulting V4 ticket lifetimes are not communicated
> back to the client over the 524 wire protocol and the client is
> setting it based on 5 minute increments in the V4 ticket, not the
> CMU/AFS lifetime interpretation].
> 
> I noticed the kvno returned was "0", while the actual kvno for our afs
> principal was "1" (as seen via kadmin).  Given the error and the
> observed behavior wrt kvno, the fix was rather straight forward.
> 
> Perhaps your afs server uses different criteria for key
> retrieval. We're only now starting to roll out OpenAFS. Our
> observations were made with Transarc AFS, versios 3.x. Sorry I don't
> have a good answer for this.
> 
> >>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> 
> >> There is also a bug in krb524d that does not set the kvno on the
> >> returned V4 ticket. Here's a patch:
> 
> Ken> Interesting ... so what triggers this?  I mean, it seems to work
> Ken> in normal circumstances ...
> 
> Ken> --Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list