[766] in arla-drinkers
Re: What is needed to run Arla under FreeBSD 3.1?
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Mon Apr 19 12:09:14 1999
From owner-arla-drinkers@stacken.kth.se Mon Apr 19 16:09:13 1999
Return-Path: <owner-arla-drinkers@stacken.kth.se>
Delivered-To: arla-drinkers-mtg@bloom-picayune.mit.edu
Received: (qmail 15461 invoked from network); 19 Apr 1999 16:09:13 -0000
Received: from unknown (HELO sundance.stacken.kth.se) (130.237.234.41)
by bloom-picayune.mit.edu with SMTP; 19 Apr 1999 16:09:13 -0000
Received: (from majordom@localhost)
by sundance.stacken.kth.se (8.8.8/8.8.8) id RAA10554
for arla-drinkers-list; Mon, 19 Apr 1999 17:56:45 +0200 (MET DST)
Received: from beryllium.club.cc.cmu.edu (BERYLLIUM.CLUB.CC.CMU.EDU [128.2.232.146])
by sundance.stacken.kth.se (8.8.8/8.8.8) with ESMTP id RAA10541;
Mon, 19 Apr 1999 17:56:17 +0200 (MET DST)
Received: from afstest-1.fac.cs.cmu.edu (AFSTEST-1.FAC.CS.CMU.EDU [128.2.194.215])
by beryllium.club.cc.cmu.edu (8.8.5/8.8.5) with SMTP id LAA24691;
Mon, 19 Apr 1999 11:56:02 -0400 (EDT)
Date: Mon, 19 Apr 1999 11:56:01 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz+@cmu.edu>
Reply-To: Jeffrey Hutzelman <jhutz+@cmu.edu>
Subject: Re: What is needed to run Arla under FreeBSD 3.1?
To: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
cc: assar@stacken.kth.se, Randy Philipp <randy@umbc.edu>,
arla-drinkers@stacken.kth.se
In-Reply-To: <199904161153.HAA18850@rushlight.kf8nh.apk.net>
Message-ID: <ML-2.3+1.924537361.6838.jhutz@afstest-1.fac.cs.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-arla-drinkers@stacken.kth.se
Precedence: bulk
> In message <5lk8vceusk.fsf@assaris.sics.se>, assar@stacken.kth.se writes:
> +-----
> | Randy Philipp <randy@umbc.edu> writes:
> | > How would on intergrate arla into a Krb5/AFS environment?
> |
> | It shouldn't be any different from a Transarc client (as Love already
> | told you). And the common way of doing this is to use a 5-to-4
> | translator which would allow you to get a v4 ticket for `afs' from
> | your v5 KDC and then stuff that into the kernel. This is the way that
> | `kauth' from heimdal <http://www.pdc.kth.se/heimdal> works. I believe
> | there are similar ways of doing it with MIT krb5 (possibly with the
> | AFS-KRB5 kit).
> +--->8
>
> You have to build krb524d and krb524init with MIT Krb5. Note that krb524d
> is rather delicate (as of 1.0.5); it falls over whenever the KDC is locked
> for an update, so you pretty much have to run it from a shell script that
> respawns it automatically. Once you have this converted v4 ticket you can
> use aklog to stuff it into the kernel.
>
> The AFS-KRB5 patches make this semi-automatic based on entries in
> /etc/krb5.conf.
>
> That said, it's ugly. Then again, the equivalent "semi-automated" code
> doean't appear to have made it into heimdal yet... but a heimdal KDC can
> run in Krb4 mode, and it looks like KTH krb4 will talk to it fairly well
> (not tested with recent Heimdal, hopefully that happens next week :-)
It's worth noting that the MIT KDC also responds to V4 requests - we've
been running that way for something like 2 years now with no problems.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
