arla-0.41 and support for Tiger

Harald Barth haba at pdc.kth.se
Wed Jan 11 17:00:26 CET 2006


> If I do kinit + klist like that:
> 
> % kinit --no-afslog
> jdurand at CERN.CH's Password:
> % klist -T
> Credentials cache: FILE:/tmp/krb5cc_27343
>         Principal: jdurand at CERN.CH
> 
>   Issued           Expires          Principal
> Jan 11 15:15:42  Jan 12 16:15:39  krbtgt/CERN.CH at CERN.CH
> 
> Jan 11 09:35:27  Jan 11 17:35:27  Tokens for cern.ch

This looks like a kerberos 5 ticket and older tokens
from a previous kinit. If your admins run at least the
following
   AFS servers 1.2.8
   KDC MIT 5 1.2.6 or Heimdal 0.6.4
it should be possible to use this ticket to get AFS tokens (built into
kinit or afslog) and not bother with anything else. The feature is
named "rxkad 2b" All these versions are from 2002, so the software
around you should be upgraded to at least these versions. The feature
is described in the 1.2.8 relnotes. Yes, you can mix token types
during the transition phase.

ftp://ftp.stacken.kth.se/pub/openafs/1.2.8/RELNOTES-1.2.8

> % kalog jdurand at cern.ch
> Getting ticket for jdurand at cern.ch
> Password:
> % tokens
> 
> Tokens held by Arla:
> 
> Tokens for afs at cern.ch [Expires Jan 11 23:16]
>    --End of list--

Actually I don't know which kalog tries to get
tokens from what server(s) here. Not enough
information to say anything more conclusive.

> - Why do I not see something like: User's (AFS ID ...) etc ?

Different versions of OS+AFS use different ways to get the token into
the kernel. If you use the newest arla on Tiger, probably only the
kinit, klist and afslog distributed with it work.

> - When doing kalog, and if there is a krb.conf in addition to CellServDB, will 
> krb.conf be used 

I don't know. Depends on the kalog. Arlas kalog only uses kaservers
IMHO. There have been many versions of kalog, in arla some of them
broken because we can't test kalog.

> (you said that krb4 are a little bit better than kaservers - 
> that's why I ask) ?

krb4 is only old encryption, kaserver is old encryption combined with 
sparely maintained server software.

> Btw when I said kerberos4 was to be dropped in debian, I meant that heimdal 
> was now compiled without the support of it. I guess this is why, before the 
> drop, when I was doing kinit I got everything in one go, and that now I have 
> to do kalog in addition...

You should be able to use kerberos 5 for everything nowadays so that your
sysadmins kan throw away their kaservers and you can throw away the kalog.

Harald.


More information about the Arla-drinkers mailing list