[149] in athena10
Zephyr krb5 support
daemon@ATHENA.MIT.EDU (ghudson@MIT.EDU)
Thu Apr 3 14:13:37 2008
Date: Thu, 3 Apr 2008 14:12:53 -0400 (EDT)
From: ghudson@MIT.EDU
Message-Id: <200804031812.m33ICr5o000266@outgoing.mit.edu>
To: ops@mit.edu, athena10@mit.edu
Cc: kcr@mit.edu
At the beginning of this year, Karl submitted patches to add krb5
support to the existing Athena Zephyr code base. I have reviewed the
patches and checked them into the Athena 10 Subversion repository.
They came along with some auxiliary changes which I extracted and
checked in separately. Some of the more interesting ones are:
* Servers can override the Hesiod server list (e.g. to include
erato) without a named hack.
* zhm has some changes to be more friendly to intermittent
connectivity scenarios.
* The port and IP address checks on the server have been removed,
fixing two of the three issues with NAT compatibility.
The patches include the krb5 interrealm support which is currently
running on the production Zephyr servers but hadn't previously made it
into the Athena code base.
From conversations with Karl, the compatibility notes for these
changes are:
* New servers are compatible with old and new clients.
* New clients are only compatible with new servers.
* A Zephyr realm can theoretically be updated one server at a time
without losing the subs db, although this code is not well tested.
(iastate did a flag day conversion.)
I would like to see the new server code deployed at MIT this summer,
if ops can schedule that upgrade process.
I have no plans to deploy the new client code in Athena 9.4.
Athena 10 is currently expecting to use the native Debian package,
although that's not written in stone. Because new clients are not
compatible with old servers, I assume the Debian package will not be
updated to the new code base until the Kerberos-using Zephyr realms we
know about are upgraded. One way or another, I am hoping to make krb4
tickets unnecessary for Zephyr use in Athena 10.
