Marc Horowitz <[EMAIL PROTECTED]> writes in response to my note:
>If you already have the v4 aklog around, and you don't want to modify
>it, you can do what you want entirely with programs in the krb5
>distribution:
>
>1) make sure you built krb5kdc with the krb4 compatibility options
>2) krb524d on the same host as your kdc
>3) after using v5 kinit, run k524init, which will get you a v4 tgt
>from your v5 tgt.
>4) then, run aklog, which will get you a token from the v4 tgt
>obtained in 3.
>
>Of course, this doesn't require a kaserver to be running at all.
All this is true, but the point of making a version of aklog which
uses the K5 protocols is:
o You don't need to have krb5kdc built with the krb4 compatibility
options
o You don't need to run k524init, and thus don't need a V4
credentials cache on the client, and thus don't have to destroy it
either. ( You also don't need to have K4 ported to the
client since you don't need the libkrb.a or any of the K4
utilities. (Don't hold me on this, since I had it ported.
If its not true it should be possible with only a little work.))
o You don't even need a kaserver either, all you need is the
afs@cell key in the K5 server match the key in the /usr/afs/KeyFile.
o It also allows you to use forwarded credentials even across
realms. (This was one of our tests.) I would like to use
proxiable tickets instead which would be good for only AFS, but never
got that far to try this instead of forwarded credentials.
This would be very useful in a batch processing setting as well.
The point is to get as much of K4 out of the picture as possible,
and use K5 instead. Getting the K5 ticket for afs@cell and having
it converted to a K4 ticket is done by using the krb524 routines
in aklog directly rather then having this done in k524init.
I would have hoped that the original authors of aklog or whomever
at MIT who is responsible for aklog would look at doing the
conversion to K5. The modifications I posted the other day show
that it is possible, but these mods still need some work.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: [EMAIL PROTECTED]
