[8744] in Info-AFS_Redistribution
Re: Windows with Krb5
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Thu Jun 14 17:58:10 2001
Date: Thu, 14 Jun 2001 17:50:56 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Kevin Rowland <krowland@nd.edu>
cc: Elmar Abeln <elmar.abeln@urz.uni-heidelberg.de>, info-afs@transarc.com
In-Reply-To: <3B28DF4F.3EDE81DF@nd.edu>
Message-ID: <Pine.LNX.3.95L.1010614172257.23809b-100000@minbar.fac.cs.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 14 Jun 2001, Kevin Rowland wrote:
> > <...snip...>
> > To work around this, configure NT clients
> > to believe that your KDC's are AFS database servers. These extra
> > "database servers" will be used for Kerberos authentication, and then
> > timed out as vlservers fairly quickly. This setup has worked well for us
> > in production more or less since the NT client was released.
>
> I believe this works for you because you (UMICH) inserted code into
> kerberos_v4.c that searches for an afs3 salted key *before* a v4 style
> in response to a K4 request. This situation, otherwise, would not work
> (as it didn't for us -- which is what prompted me to try switching the
> keysalt list order). Am I missing something? Looks like I need to
> revisit the kerb_get_principal() code and incorporate that in to see if
> we can make both the AFS-NT client *and* Win2K clients happy...
I'm CMU, not UMICH. In any event, our Kerberos database doesn't have any
afs-salted keys. IIRC, the KDC code already prefers v4-salted keys to
keys with the default salt when answering V4 requests. Since AFS has been
able to handle v4-salted keys since at least 3.3a, this should not be a
problem.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
