Is this too big of a change?
Douglas E. Engert
deengert at anl.gov
Mon Aug 26 14:08:00 EDT 2002
Sam Hartman wrote:
> Hi. We're working on 1.2.6beta2 and are proposing to make a change
> that has somewhat more impact than we would normally make in a point
> release and we'd like to see how much trouble it would create for
> The OpenAFS and Arla community is working on support for somewhat more
> native krb5 authentication to AFS. Servers will support the
> encrypted part of a krb5 ticket sent with a special kvno as an AFS
> token. It turns out that if you have a special krb524d this
> improvement allows you to upgrade to doing krb5 AFS without any client
How does this match the code that Transarc added to the AFS clients for the
AFS to DFS migration tool? There the token could be a K5 ticket. Are
you using the same trick?
If there are no changes to the client, will it work with a Transarc client?
> We're going to roll support for this change into the 1.2.6 krb524d.
> The question is: how should we determine if we use the new style
> tickets or whether we just issue krb44 tickets as before.
> The AFS community seems ready to push fairly hard for upgrades to this
> new technology and (when it is ready later, RXGSS) so we'd like to
> help them by making the default for afs principals be the new
> format--optimizing for future convenience at the expense of
> transition-time inconvenience. We plan to default to the new format
> afs principals with an exception list of afs principals that should
> receive normal krb4 tickets.
> This means that if you were to deploy 1.2.6 today, you'd have to
> create an exception list for any afs cells your KDC serves.
Where is the exception list? If its with each krb524d that OK.
> Does anyone believe this is too much work for sites to do when
> deploying 1.2.6? I'm much more interested in reports that this
> actually would be a problem than reports of how this might be a
> problem for a hypothetical third party or how I could do something
Can I still use a W2K KDC? We do that here with a modified krb524d
and a ak5log.
As AFS starts to use K5, what are the relationships of the AFS cell name
and the Kerberos realm name? Hopefully they are seperate. Where the
principal used are something like afs/<afscell>@<krb5realm> With no
assumptions about the afs cell matching the realm. This should also
mean that the afsservers should be able to use principals from multiple
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev