[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remapping old Kerberos 4 realm name to new Kerberos 5 realm name

(1) Thanks for the info on krb524d, you are right, that isn't what I

Working backwards from openafs-1.2.11/src/util/get_krbrlm.c it looks like
the location of krb.conf should be @afsconfdir/krb.conf where @afsconfdir
is /usr/afs/etc if one is using --enable-transarc-paths (one assumes this
would also be the place to put the file if one were still running IBM
AFS), otherwise it's {sysconfdir}/openafs/server where {sysconfdir} is
whatever was defined when you did the ,/configure step:

 --sysconfdir=DIR        read-only single-machine data in DIR

Also, Sam Hartman <hartmans@mekinok.com> writes [1]:
> You can create /usr/afs/etc/krb.conf with your realm name in it, and
> then create a key called afs/cell@REALM and that also works.

Feeding "/usr/afs/etc/krb.conf" into Google comes up with other useful

(2) Although this option seems vastly preferable to renaming my AFS cell,
it would still mean having a "flag day" and getting users to make a lot
of Windows-side config changes and learn some new piece of software (for
the Kerberos 5 authentication... OpenAFS Windows client isn't as stable
on some Windows versions/scenarios as IBM AFS client yet in my
experience, so I wouldn't be able to use the new integrated Kerberos 5
code), so I'd still be very interested if there is any way to do the
realm remapping Heimdal server-side.

[1] [OpenAFS] MIT krb5 w/OpenAFS 

On Tue, 08 Jun 2004 10:50:31 -0400, "Ken Hornstein"
<kenh@cmf.nrl.navy.mil> said:
> >Is there a Heimdal equivalent to MIT Kerberos + Ken Hornstein's
> >monster-patch krb524d [1] --with-krb524-remapping option? I'm trying to
> >remap an old Kerberos 4 realm name to a new Kerberos 5 realm name as
> >described in the migration scenario here [2]. If there isn't I assume I
> >could use krb524d to replace some Heimdal functionality, but I'd like to
> >stick with pure Heimdal if at all possible. Specific Heimdal error I am
> >getting now is:
> First off, it isn't a global remapping; it's done on a per-user basis.
> So I suspect that's not what you really want.
> Secondly ... I would advise that you simply change the Kerberos realm
> of your AFS cell to match that of your V5 Kerberos realm.  You can do
> that by placing a Kerberos V4 config file in a magic location on
> your AFS servers (I forget the location, but I'm sure someone will
> remind me).  This will make using the Windows client problematic with
> the native (v4) authentication ... but the trend has been to go to V5,
> so if I were you, I'd just go with V5 on Windows.
> --Ken

Daniel Joseph Barnhart Clark