Hi Jeffrey, Many thanks. Some questions are in line.
> -----原始邮件----- > 发件人: "Jeffrey Altman" <[email protected]> > 发送时间: 2018-05-16 00:29:48 (星期三) > 收件人: huangql <[email protected]>, openafs-info <[email protected]> > 抄送: > 主题: Re: [OpenAFS] About the upgrading from kaserver toKerberos 5 > > On 5/15/2018 11:24 AM, huangql wrote: > > Hi Jeffrey, > > > > > > Thanks for your prompt and constructive reply. > > > > > > If the afs2k5db tool was compiled against OpenAFS 1.2 and MIT Kerberos > > 1.2, does it work for Openafs-1.4.14-1 version under 64bit ? > > As I indicated, the kaserver database file format has not changed. > Therefore, it should not matter. We will do that. > > > Or is there other method to migrate the users to kdc 5? > > Well, IHEP could just bring up a new Kerberos v5 realm and create all > necessary client and server principals from scratch. I have no idea about the scratch, Could you give more information about this? If there is documents about this, it would be excellent. > > At this point that might not be such a bad idea. The kaserver (being > Kerberos v4 based) only supports DES-CBC-CRC 56-bit keys. Those keys > can be brute forced in under 20 hours. The krbtgt and afs keys are > particularly vulnerable. Theft of them permits any identity to be > forged. Copying these keys into the new Kerberos v5 realm is pointless > as they must be replaced immediately. > > The client configurations will have to be updated in any case to deploy > Kerberos v5 libraries and configuration files. My recommendation is to > start from scratch with Kerberos v5 and configure the AFS cell to accept > both kaserver and Kerberos v5 for authentication. See the OpenAFS > krb.conf man page. Could you please point out how to configure to accept kaserver and kerberos v5? Thank you. > > Again, good luck. > > Jeffrey Altman
