Jeffrey Hutzelman wrote:
>
> On 06/06/00 11:09:40 -0500 "Douglas E. Engert" <[EMAIL PROTECTED]> wrote:
> > At one time, Transarc offered a AFS to DFS migration kit. One of the
> > features was the translator, which acted lie an AFS server, but accessed
> > DFS used the encrypted part of the K5 ticket as the token. So the AFS
> > cache manager, should already have some of the K5 code as you would do
> > this in the aklog:
> > atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
> >
> > Its just the AFS servers which would need to look at the token
> > differently.
>
> Unfortunately, it's not that simple. The DFS migration toolkit required a
> number of special tools, including a translation server. The cache manager
> knows nothing about krb5; it believes it is talking to a normal AFS server
> using normal V4-based rxkad.
>
Yes I realize it is not that simple. What I was pointing out was that
cache manager and the protocols appear not to need modifications, just the servers.
And that Transarc as already done some of the work when they wrote the translator.
> Actually making everything use Kerberos V is considerably more complicated,
> especially if you want to maintain compatibility, which is very important
> to Transarc. Back when this project was still active, I talked with the
> developer about the details of how it would work. It's possible, but not
> trivial.
Yes, klog for example. Its really a combination of kinit and aklog.
So you could either have a k4log and a k5log, or just say you must use kinit
then aklog. kpasswd is another example, where this is really a Kerberos command
not an AFS command.
One of the questions is: Should AFS be treated as a service, in a realm,
running under principals such as: afs/<afscell>@<k5-relam>
This could allow multiple AFS cells to be served by a single realm, or
even multiple realms could issue tickets for the same cell.
I would like to see Transarc go forward with this project, which would
allow one to use what ever Kerberos KDCs they wish with AFS servers.
>
> -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
