AFS/Heimdal/Debian

To: debian-user@lists.debian.org, deban-security@lists.debian.org, bam@debian.org, hartmans@debian.org
Subject: AFS/Heimdal/Debian
From: Matthew Palmer <mjp16@ieee.uow.edu.au>
Date: Thu, 1 Mar 2001 16:54:45 +1100 (EST)
Message-id: <[🔎] Pine.LNX.4.10.10103011636220.1020-100000@inductor.ieee.uow.edu.au>

Sorry for the crossposting, but this touches several areas, and I'd like to
hit all at once.

I'm running a Heimdal KDC, and all is well with that.  I've managed to get
PAM doing it's thing, and a host of other little niggling problems.  I'm now
trying to add AFS into the mix, and things are less impressive.

The Debian OpenAFS packages are heavily tainted towards MIT's Kerberos, which
I'm not a great fan of (well, it's actually a mix of the US government's
facism and MITs cold feet, but I can see where MIT is coming from) and I
can't seem to get an AFS key, as follows:

I've set up most stuff (vlserver, etc) and have a root volume.  I managed
this through both the Debian scripts and the 'real' AFS documentation.  Good
things all round.  Now, when I try to get a ticket, using aklog (as supplied
in Debian's openafs-krb5 package), I get:

aklog: Couldn't get ieee.uow.edu.au AFS tickets: 
aklog: Cannot contact any KDC for requested realm while getting AFS tickets

I have keys in the DB correcponding to both afs@REALM and afs/cell@REALM.  I
can get service tickets for them on my TGT without blinking.

The reason I can't contact any KDC is because, according to a strace,
nothing is happening on port 4444 of my Kerberos server.  I am assured by
several net sources that this is the krb524 port.  Surprise, surprise, there
isn't one in Debian's heimdal packages.  There is one in MIT's kerberos
packages, but having fought with Heimdal, I'm not about to try fighting MIT
as well (add the rant about MIT's unwillingness to export >here<).

Hence my dilemma.  Debian Heimdal doesn't come with anything approaching
krb524.  Is this a Heimdal problem, or a Debian problem?  I'm willing to
wager a Debian problem, since I looked at the source for Heimdal and it
seems it's quite willing to build Kerberos 4 support, with the help of the
KTH stuff and a few ./configure options.  So, the questions must be asked:

1) Can Heimdal (in any form) interact with Debian's OpenAFS packages?

2) Will Debian be packaging Heimdal in a form suitable for this?

3) Will I have to scrap Heimdal (damn damn damn) and go with MIT?

4) Is 3) an easy process, considering I have many keys in a Heimdal DB, and
I know that a large number of users will be royally pissed off if they have
to re-key *again*?

5) Should I, in fact, just give up on AFS altogether and keep bashing my
(rather pulped) head against the wall that is NFS?


-- 
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer
mjp16@ieee.uow.edu.au

Reply to:

Prev by Date: Can't compile 2.4.2 kernel
Next by Date: Re: ssh_1%3a2.5.1p1-1.5_i386.deb (unstable)
Previous by thread: Can't compile 2.4.2 kernel
Index(es):
- Date
- Thread