[OpenAFS] OpenAFS Project List
Mark Montague
markmont@umich.edu
Wed, 14 Mar 2001 09:53:58 -0500 (EST)
On Wed, 14 Mar 2001, Stephen Joyce wrote:
> > This doesn't really refer to a project; There's no "progress" to be made.
> > Doug and Ken have made available tools to enable the use of AFS in a
> > Kerberos 5 environment, in preference to the use of the kaserver.
>
> While it is true that these tools exist, I would not agree that there's no
> progree to be made! The afs-krb5 migration kit is quite handy (we've
> been using it for several years now--thanks Ken and Doug!) it does have
> shortcomings. It isn't for the faint-of-heart to compile or configure, and
> the newest revision of kerberos 5 that it will work with is v1.0.6, which
> has significant security problems--fixed in the newest versions. (We also
> have an issue where Windows clients fail miserably when authenticating
> against our krb5-bastardized AFS cell, but the lack of discussion of this
> issue leads me to believe that this is either a local problem or else very
> few sites are actively using the migration kit).
The lsa.umich.edu AFS cell performed the migration this past Saturday,
going directly from AFS 3.4a to MIT Kerberos 5 version 1.2.1 (we'll be
upgrading to 1.2.2 shortly, however). Len Smith from our group did all
the work on this and he has submitted the changes back to Ken for
inclusion in future versions of the migration kit.
The group that's responsible for the umich.edu cell made changes
available to us that permit the Windows clients to authenticate
properly. Hopefully they'll make their changes available to the
OpenAFS community. Here's a hint: we found that authentication
of the Windows client only failed miserably if you did not specify
a lifetime for the token. If you authenticate via the command line
rather than the GUI and specify the "-lifetime" flag, you can obtain
tokens which are usable for up to 10 hours.
Mark Montague
LS&A Information Technology
The University of Michigan
markmont@umich.edu