Hiho! I'm using OpenAFS 1.2.7 with Kerberos 5 and after upgrading to the 1.2.6 Release of MIT Kerberos yesterday, the afsd started rejecting tokens.
After diving into the Documentation (if all else fails, read the docs :)
i disabled the "new style" of afs tokens in the [appdefaults] section
of the krb5.conf file on all hosts as follows:
[appdefaults]
afs_krb5 = {
MYREALM.DOM = {
afs = false
}
}
"MYREALM.DOM" is of course just an example.
Apparently, Kerberos 1.2.6 is not only able to return the encrypted part
of a Kerberos 5 Ticket as a Token to an "afs/*@*" principal but does so
by default. The user has to disable it manually, if the AFS Server is
unable to use the Token, which seems to be the case with my OpenAFS
installation (1.2.7, compiled from unpatched sources, linked against
MIT Kerberos 5 1.2.5) or my Kerberos Migration Kit (Version 1.3).
Question: Is it/will it be possible to use this feature, rather then disable it,
with some Release of OpenAFS? Which one? How? I seem to be unable to
find any docs about this, other than the short notice in the MIT Kerberos 5 source
tree.
It would be nice to get rid of Kerberos 4 and single DES in the long
run.
Kind regards
Friedel
--
Friedrich Delgado Friedrichs <[EMAIL PROTECTED]>
Laziness led to the invention of the most useful tools.
msg05320/pgp00000.pgp
Description: PGP signature
