[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Two questions about AFS + Heimdal
> What I've done is:
> 1) Create principal afs@REALM.
> 2) Extract key with ext_keytab afs.
> 3) Use bos addkey to set the AFS key. I suspect this might be where I'm
> doing wrong, my AFS book says I'm supposed to use asetkey instead, which I
> found in the afs-krb5 migration kit, but didn't get to compile. Maybe I
> should convert the key in some way first?
You don't have to play around with any extra tools such as ext_srvtab
or asetkey. The goal of the exercise is to get the *same* DES key with
the *same* key version numbers both into the kerberos database and
into the AFS servers using bos. The crux only is that AFS and krb4 and
krb5 uses different string (i.e passwords) to DES-key algorithms. To
avoid this problem you consult the AFS manuals to find out how to
install a new afs@REALM key and do precisely as they tell you to do.
To install the correct key into the kerberos database you first use
the little program (that is part of both krb4 and heimdal) kstring2key
to convert the password into a DES key, then use kadmin to install the
DES key (not the password) into the database.
> Also, my AFS book tells me to create a /usr/afs/etc/krb.conf (linking it
> to /etc/krb.conf), but it assumes krb4 and I'm not sure what to do about
> that. I suspect this is the reason klog.krb in the AFS dist doesn't
> connect to the kdc (it times out)?
If your realm name is the same as your cell name then you should *not*
have a /usr/afs/etc/krb.conf file. If they don't match, then your AFS
servers must have the *real* realm name as the first line in
/usr/afs/etc/krb.conf. The rest of the file is ignored.
_ _ ,_______________.
Bjorn Gronvall (Björn Grönvall) /_______________/|
Swedish Institute of Computer Science | ||
PO Box 1263, S-164 29 Kista, Sweden | Schroedingers ||
Email: firstname.lastname@example.org, Phone +46 -8 633 15 25 | Cat |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------'