thank you for your help, > Right. It means that you're running krb524d to return K4 tickets to > applications that needed them, like AFS. As of OpenAFS 1.2.8, the > server supports native K5 tickets, so you shouldn't have to do this > any longer. The aklog that ships with OpenAFS 1.4 is the new version > that does native K5 tickets by default (as opposed to the version > that shipped with sarge, which was from the Kerberos Migration Kit > and did 524 by default).
also the debian people hinted that the pam-openafs-session module is going to be replaced with a new re-write... > > when doing aklog from sarge, the kerberos server log shows two > > requests for principals: > > afs/[EMAIL PROTECTED] > > [EMAIL PROTECTED] > > > when doing the same from etch with -524 option, the log shows only > > one request for principal: > > afs/[EMAIL PROTECTED] > > > there is only one principal in the kerberos database for afs: > > [EMAIL PROTECTED] > > But the latter works anyway? yes it does, if i run aklog on etch with the -524 the aklog itself succeeds and /afs is accessible. if i do the same without the -524, the aklog on etch succeeds but the /afs in inaccessible... > You can double-check this in kadmin with getprinc [EMAIL PROTECTED] > > Note that for native K5 authentication to work, this principal needs > to have only one key which is of type des-cbc-crc. The hashes don't > matter but the encryption type does. If it has other, stronger > encryption types, you'll get a K5 service ticket for the stronger > encryption type, aklog will try to use that as a token, and it won't > work. it looks that this is exactly what is happening (wrong encryption type of the kerberos keys), kadmin(getprinc afs): Number of keys: 2 Key: vno 9, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 9, DES cbc mode with CRC-32, no salt one thing i do not understand is why it has 2 keys (and also do not understand what is the difference between a principal and a key (my gaps in understanding this are obvious) - are the keys used for encryption and the principal is basically a reference to what keys to use? > You only have to have afs/[EMAIL PROTECTED] if your cell name > is different than your Kerberos realm. Otherwise, either will work, > although the latter form is recommended these days. afs-cell-name = lower_case(kerberos-realm). > /usr/share/doc/openafs-fileserver/README.servers.gz may be helpful, > although it's targetted at new installations rather than upgrades. i will read this asap. so, if i create kerberos 5 principal with the correct encryption key strength, do asetkey on servers, the native kerberos 5 authentication should work from all - woody, sarge and etch? vlad _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
