Thank you for the information. You were correct about those version numbers. I was thinking they were in sync with the clients. Anyhow, I seem to have been able to authenticate the cs.rose-hulman.edu domain with klog and was able to modify files that the ACLs indicate I should not be able to modify unless I was authenticated. I will relay the information on to the cs.rose-hulman.edu administrator.
-----Original Message----- From: Jeffrey Altman [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 10:54 AM To: Gurganus, Brant L Cc: OpenAFS information Subject: Re: [OpenAFS] OpenAFS in Mixed 1.2/1.3 environment Gurganus, Brant L wrote: > The rose-hulman.edu AFS domain uses AFS 1.3 or newer meaning Kerberos 5 > or newer for authentication. The cs.rose-hulman.edu AFS domain uses AFS > 1.2 authenticating agains Kerberos 4 still until it can be upgraded. Is > there a way to contact both servers? At a minimum, I think Leash > should allow me to get the kerberos tickets for rose-hulman.edu which it > does as well as the cs.rose-hulman.edu tickets which it does not. It > gives a bad password error code for cs.rose-hulman.edu when the password > is correct. I'm not sure that you are providing the correct information. The rose-hulman.edu AFS servers are running version OpenAFS 1.2.13 and uses a Kerberos 5 realm ROSE-HULMAN.EDU for authentication. The cs.rose-hulman.edu AFS server is running version OpenAFS 1.0.4. Does this cell use the ROSE-HULMAN.EDU realm for authentication (it could) or does it use the "kaserver"? I am going to assume for the rest of this discussion that it is using the "kaserver". The answer your question based upon the assumption that cs.rose-hulman.edu is using the CS.ROSE-HULMAN.EDU kaserver realm for authentication is that you can access both AFS cells but you can only obtain tickets using Leash32 for ROSE-HULMAN.EDU. KFW 2.6.x expects the KDC to support Kerberos 5. Although Leash32 can obtain a Kerberos 4 TGT it will do so after trying to obtain a Kerberos 5 TGT and will then try to convert it using the krb524 daemon. To access the cs.rose-hulman.edu cell you will need to use the "klog.exe" that comes with OpenAFS and authenticate separately. The OpenAFS you are running is quite old and really should be upgraded to at least OpenAFS 1.2.13 if not the forthcoming 1.4.0. Once this upgrade is performed it would be possible to allow the cell to use the ROSE-HULMAN.EDU realm for authentication. The AFS service tickets for cs.rose-hulman.edu would be of the form afs/[EMAIL PROTECTED] The cs.rose-hulman.edu cell would have its krb.conf file edited (or created) to specify ROSE-HULMAN.EDU. If there is a need for CS.ROSE-HULMAN.EDU to maintain its own Kerberos realm, the kaserver can be replaced with either Heimdal or MIT Kerberos. Jeffrey Altman _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
