>[Hmm... I think Ken is still maintaining the FAQ for this list.
> If this isn't already in there, it probably should be....]
Well, I'm maintaining the Kerberos FAQ, not the AFS FAQ. This question
is already in there.
Errr, wait, I'm a liar ... it's not. Guess I should add it, then :-) (Jeff,
mind if I steal most of your reply here for the FAQ?).
>The problem here is that in order to register the user's password, your
>registration program (or login) must be able to authenticate to the
>kaserver as an administrator. Or, it must be able to authenticate to a
>separate registration service, which itself is an administrator and
>enforces certain restrictions (i.e. a user can only be registered once).
One thing I've seen done is that sites give the host key (host/*) the
ability to _add_ new accounts, and the conversion is done that way via
hacks to login. That only works for Kerberos 5, though, and doesn't
help you with standard AFS. As I recall, we sucked it up and had
everyone change their passwords.
--Ken
