"Christopher D. Clausen" <[EMAIL PROTECTED]> replied:
> Joe Buehler <[EMAIL PROTECTED]> wrote:
> > Converting to Kerberos V has been a bit frustrating -- you can't just
> > follow a recipe, you have to use Google and learn quite a bit about
> > K5 and AFS to work through it all. I'm still learning.
>
> Well, once you have things working, please write up a recipe for others
> to follow.
>
> <<CDC
My recipe for starting a new cell is here:
/afs/umich.edu/user/m/d/mdw/wp/uniq.2k
Of course there are bits that are afs version & os environment
dependent, or even configuration dependent. For converting
to kerberos V, kenh's notes are still the ones you want.
For key/salt, it doesn't matter what you specify on the
ank line. I use
ank -randkey afs
not because I value the random key, but simply because it
won't prompt for a password.
I then use:
ktadd -e des-cbc-crc:v4 -k /tmp/afs.kt afs
here the encryption type does matter. Somebody commented that the salt
type is ignored. That is almost correct; it checks the spelling and
*then* ignores the type. "v4" is short -- afs3 or normal would work
identically. Doing the ktadd effectively does another "-randkey"; each
time you rerun ktadd, it will change the key & bump the kvno. Probably
the afs documentation should be clearer about this; this seems to be a
common point of confusion.
There is certainly room to improve the afs end of things. Future
versions of openafs should be better about building k5 versions
of aklog/asetkey/klog. Also future vesions of pt should allow
the use of "pts -localauth" to add the first principal to the
pt database, which will obliviate the need to use either "-noauth"
or "pt_util -w" to do this.
-Marcus
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
