On Thu, 8 Jan 1998, Ken Hornstein wrote:
: This was pretty bad with the V4 database code, but _if_ you use V5 and
: you use the btree database backend, then this is a lot better. And one
: of these days I'm going to get incremental database updating done ....
:
: and if you want, you could buy the Veritas product and get incremental
: updating :-)
:
: I _do_ wish Kerberos used Ubik, or something similar .... but that would
: require a pretty nasty set of changes to the admin protocol.
:
Yes the kerberos V5 code is much improved. Of course the new question is how
does one juggle V5, DCE, and NT5? Plenty of room for coding to make this all
work together...
: >As you know it does a good job of
: >handling the MIT kerberos calls, and you can even have the added benefit of
: >forwarded tickets and tokens which also keeps users happier with less
: >password retyping.
:
: How do you do ticket forwarding with Kerberos 4?
The AFS kaserver ignores the IP address in the TGT, so you can pick it up
and move it to another machine if you so desire. I use a modified version of
the ta-rauth code in the Transarc inetd.afs and rcmd() call. I think their
code only works on IBM or some such, mine works on all the AFS supported
platforms. Besides passing the afs token like the Transarc code, you can
optionaly pass the TGT along as well. I have put the code in rlogin,
rsh/rcp/rdist, and telnet, which can do various combinations of regular, V4,
or encrypted V4 authentication. The -f flag forwards the TGT, the token
defaults to being passed since with AFS home directories you need it. The -f
option is helpful for our authenticated printing, zephyr, and various other
services that would otherwise require a password.
Randall
