Is this too big of a change?

Douglas E. Engert deengert at
Mon Aug 26 14:08:00 EDT 2002

Sam Hartman wrote:
> Hi.  We're working on 1.2.6beta2 and are proposing to make a change
> that has somewhat more impact than we would normally make in a point
> release and we'd like to see how much trouble it would create for
> users.
> The OpenAFS and Arla community is working on support for somewhat more
> native krb5  authentication to AFS.  Servers will support the
> encrypted part of a krb5 ticket sent with a special kvno as  an AFS
> token.  It turns out that if you have a special krb524d this
> improvement allows you to upgrade to doing krb5 AFS without any client
> changes.

How does this match the code that Transarc added to the AFS clients for the
AFS to DFS migration tool? There the token could be a K5 ticket. Are 
you using the same trick?

If there are no changes to the client, will it work with a Transarc client?

> We're going to roll support for this change into the 1.2.6 krb524d.
> The question is:  how should we determine if  we use the new style
> tickets  or whether we just issue krb44 tickets as before.
> The AFS community seems ready to push fairly hard for upgrades to this
> new technology and (when it is ready later, RXGSS) so we'd like to
> help them by making the default for afs principals be the new
> format--optimizing for future convenience at the expense of
> transition-time inconvenience.  We plan to default to the new format
> afs principals with an exception list of afs principals that should
> receive normal krb4 tickets.
> This means that if you were to deploy 1.2.6 today, you'd have to
> create an exception list for any afs cells your KDC serves.

Where is the exception list? If its with each krb524d that OK.

> Does anyone believe this is too much work for sites to do when
> deploying 1.2.6?  I'm much more interested in reports that this
> actually would be a problem than reports of how this might be a
> problem for a hypothetical third party or how I could do something
> different.

Can I still use a W2K KDC? We do that here with a modified krb524d
and a ak5log. 

As AFS starts to use K5, what are the relationships of the AFS cell name
and the Kerberos realm name? Hopefully they are seperate. Where the 
principal used are something like afs/<afscell>@<krb5realm> With no 
assumptions about the afs cell matching the realm. This should also 
mean that the afsservers should be able to use principals from multiple

> Thanks,
> --Sam
> _______________________________________________
> krbdev mailing list             krbdev at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list