John W Sopko <[EMAIL PROTECTED]> writes: > I got this to work! That is I turned the kaserver back on and made sure > the kvno were different in /usr/afs/etc/KeyFile. On the same machine I > can do klog to the kaserver and things seem to work fine. Or I can > kinit/aklog! Pretty nice! I also tested on another linux machine.
> I do not quite understand why it works though. The fileserver is using > the afs service keys from AD since the krb.conf file is pointing to the > AD realm, or the -realm option to the fileserver :-). A realm specified in krb.conf is supplemental. A realm matching the name of the AFS cell is always also supported. > I even made my user passwords different in the kaserver and the AD > server and it still works fine! I just want to be sure this will work > and why. This will be a fantastic migration path for us and I am sure > others. I think this will work whether or not you are using a > MIT/Heimdal or Windows KDC server. Yup, this works. You can run kaserver and a K5 KDC in parallel and support tokens generated by either, provided that both keys are present in the KeyFile with different kvnos. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
