On Mon, Jun 06, 2005 at 01:23:34PM -0400, Jeffrey Hutzelman wrote: > > > On Sunday, June 05, 2005 01:22:18 PM -0500 Troy Benjegerdes > <[EMAIL PROTECTED]> wrote: > > >On Sun, Jun 05, 2005 at 12:08:35PM -0400, Jeffrey Altman wrote: > >>Troy Benjegerdes wrote: > >> > >> > This seems to keep getting discussed. Does anyone have a roadmap of > >> > what needs to be done to get to full native Krb5 support, and doing > >>> away with a dependence on des keys? > >> > >>Full krb5 support is available to you now. The only restriction is > >>that you must use a DES key for the AFS service principal. > > > >So is there an aklog (or something like it) that does not require running > >krb524d? > > It is possible to build such an aklog, yes. Heimdal's libkafs and afslog > support this mode of operation; to enable it, you need to set "afs-use-524" > to either "local" or "2b" in the [appdefaults] section of krb5.conf (the > "local" setting will set full krb5 tickets as tokens; the "2b" setting will > set rxkad-2b tokens, which are smaller and may be required for older cache > managers or if your tickets are unusually large for some reason).
So, if I'm interested in getting openafs/src/aklog/ updated, and included, would it maybe be best to try to port libkafs to work with both heimdal and MIT kerberos? (and the corresponding configure hackery to auto-detect which flavor?) I sort-of have an aklog working based on the stuff in src/aklog, and it seems to at least get me tokens... but I suspect it knows nothing about full krb5 tickets. Anyone else have comments/suggestions/patches? _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
