On 4/12/2012 9:45 AM, Jim Green wrote: > At Michigan State, I am leading a project to upgrade our MIT Kerberos > central authentication service from version 1.6.3 to 1.10.1. We will be > dropping support for the Kerberos 4 protocol. We are a long-time AFS site > and most of the systems we've been able to identify that still rely on > Kerberos 4 are related to AFS in some way.
Need much more detail re: "in some way" Also, 100% OpenAFS? Or ridiculously ancient boxes still running IBM AFS? You're better off posting this to openafs-info, IMO. The only significant thing of note that I can think of regarding AFS and MIT krb5 1.6.3 --> 1.10.1 is the requirement that krb5.conf include a new "allow_weak_crypto = true" setting, to satiate the current requirement for the "afs/cellname" principal's key to be of type des-cbc-crc:v4 http://docs.openafs.org/QuickStartUnix/ch01s03.html#Header_20 http://docs.openafs.org/QuickStartUnix/apb.html#KAS001 > The main drivers for this are are a) desire to support account lockout for > some users; b) desire to end-of-life Kerberos 4 support as recommended in > MIT's Kerberos 4 end of life announcement > (http://web.mit.edu/kerberos/krb4-end-of-life.html). > > I am interested in communicating with folks that have been down this path, > if anyone has. Anyone know of any medium to large research institutions > running Kerberos 1.7.x or higher? If so, I'd appreciate contact > information. And, anyone, please chime in if there's some reason you know > about that makes this idea totally crazy. Thanks. > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
