[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: drop kerberos4-support?

Brian May <bam@debian.org> writes:

> Ideally that would be "AFS environment that our users require".

> However, I would be happy is that was "AFS environment that will work
> without recompilation of Debian packages".

Right now, the AFS packages in Debian will work with either native K4 or
with krb524, although the server support for native K4 isn't in Debian.

> My preference would be native K5.

> However, I get the impression that isn't yet possible with openafs in
> Debian (unless I am badly confused).

You're correct, although it's very close.  It will be possible with the
1.4.1 release (and is almost possible right now but openafs-krb5 is too
old; I'm waiting for the 1.4.1 release to retire the openafs-krb5 package
and package aklog and asetkey with openafs).  So it will be possible for
etch.  The aklog in openafs will also support krb524d.

However, dropping KTH Kerberos loses the ability to work with native K4
easily because of afslog (klog would still be available, as would the PAM
modules, but not something that worked from a K4 ticket cache).  We're
already building our own version of afslog for K4 at Stanford, though, so
I'm not sure how much that would really impact anyone and what sites (if
any) would be affected.

> So if using krb524 works, then hopefully that would be OK.

> (when I last tested it I couldn't get it to work with anything except
> krb4 support in the KDC, but I may have been doing something wrong...)

README.servers in the openafs-fileserver package explains how to set up
OpenAFS with Kerberos v5 authentication via krb524d, and at least with the
packages in sid it's been fairly well-tested.  The setup scripts needed a
bit of work that I just recently finished.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Reply to: