afs-krb5 integration

Donn Cave donn at u.washington.edu
Tue Oct 22 13:47:19 EDT 2002


Quoth hartmans at mit.edu (Sam Hartman):
|>>>>> "Josh" == Josh Huber <huber at alum.wpi.edu> writes:
...
|     Josh> I like the thought of more integration of AFS and krb5.
|
| Not surprisingly those of us who worked on this proposal had similar
| motivations.

Excellent.  I'm encouraged enough by all this to overcome my
embarrassment and ask a very basic question about AFS and krb5.

Unlike (I gather) most or all AFS sites, we never used Kerberos 4
here, we started with V5 (after a brief flirtation with DCE.)
Hence, no --with-krb4, no Kerberos 4 salted keys, just pure krb5.

Will pure V5 work with AFS, once implementation of all this new
stuff is nailed down?  Am I right that the classic krb524d AFS
support depends on V4 keys in the V5 KDC?

Thanks,
	Donn Cave, donn at u.washington.edu
----------------------------------------
  An alternate conversion is provided for AFS servers that support the 
  encrypted part of a krb5 ticket as an AFS token.  If the krb524d is 
  converting a principal whose first component is afs and if the 
  encrypted part of the ticket fits in 344 bytes, then it will default 
  to simply returning the encrypted part of the ticket as a token.  If 
  it turns out that the AFS server does not support the ticket, then 
  users will get an unknown key version error and the krb524d must be 
  configured to use v4 tickets for this AFS service.



More information about the Kerberos mailing list