Dr A V Le Blanc wrote:
>
> On Tue, Jun 06, 2000 at 10:27:44PM -0500, Douglas E. Engert wrote:
> > True, but the point was to use K5 authentication, and AFS could continue to do
> > what ever it wants for its protocol. The point you make are improvments to
> > the protocol, which could occur at a later time.
> ...
> > The above are also improvments to the AFS protocol, which don't need
> > to be made to get the authenticaiton to use K5. It will still limit
> > it to a 56 bit DES key.
>
> I don't know whether I have misunderstood, but you might have a look
> at the KTH kerberos 5 server, heimdal. It is able to
>
> (1) Import AFS kerberos databases from a Transarc kaserver, giving
> (as I understand it) kerberos 5 authentication using existing
> passwords.
>
> (2) Serve standard AFS kaserver requests, so that it can replace a
> Transarc kaserver.
>
> This means, if I understand correctly, that your AFS cell could
> interoperate with a K5 server without needing changes to the current
> Transarc binaries. The heimdal server needs to be compiled with
> the options '--enable-kaserver --enable-kaserver-db' and linked
> with the KTH kerberos 4 libraries, and you need some special options
> in the kdc.conf file.
>
What that sounds like is it interoperates with a server which understands
K5 and K4. The MIT server can do this, but the DCE and W2K servers can't.
They don't have K4 support.
Point (1) above sounds like a migration tool, and point (2) is a relacement
for the kaserver.
Both of these sound like great ideas, but it is still using K4.
K5 will give you better lifetimes, and forwardable tickets among other things.
> -- Owen
> [EMAIL PROTECTED]
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
