[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remapping old Kerberos 4 realm name to new Kerberos 5 realm name

To: "Ken Hornstein" <kenh@cmf.nrl.navy.mil>
Subject: Re: Remapping old Kerberos 4 realm name to new Kerberos 5 realm name
From: "Daniel Joseph Barnhart Clark" <dclark@pobox.com>
Date: Tue, 08 Jun 2004 15:03:22 -0400
Cc: heimdal-discuss@sics.se
In-Reply-To: <200406081450.i58EoUhQ018000@ginger.cmf.nrl.navy.mil>
References: <200406081450.i58EoUhQ018000@ginger.cmf.nrl.navy.mil>
Sender: owner-heimdal-discuss@sics.se

(1) Thanks for the info on krb524d, you are right, that isn't what I
want.

Working backwards from openafs-1.2.11/src/util/get_krbrlm.c it looks like
the location of krb.conf should be @afsconfdir/krb.conf where @afsconfdir
is /usr/afs/etc if one is using --enable-transarc-paths (one assumes this
would also be the place to put the file if one were still running IBM
AFS), otherwise it's {sysconfdir}/openafs/server where {sysconfdir} is
whatever was defined when you did the ,/configure step:

 --sysconfdir=DIR        read-only single-machine data in DIR
 [PREFIX/etc]

Also, Sam Hartman <hartmans@mekinok.com> writes [1]:
> You can create /usr/afs/etc/krb.conf with your realm name in it, and
> then create a key called afs/cell@REALM and that also works.

Feeding "/usr/afs/etc/krb.conf" into Google comes up with other useful
references.

(2) Although this option seems vastly preferable to renaming my AFS cell,
it would still mean having a "flag day" and getting users to make a lot
of Windows-side config changes and learn some new piece of software (for
the Kerberos 5 authentication... OpenAFS Windows client isn't as stable
on some Windows versions/scenarios as IBM AFS client yet in my
experience, so I wouldn't be able to use the new integrated Kerberos 5
code), so I'd still be very interested if there is any way to do the
realm remapping Heimdal server-side.

[1] [OpenAFS] MIT krb5 w/OpenAFS 
https://lists.openafs.org/pipermail/openafs-info/2001-August/001706.html

On Tue, 08 Jun 2004 10:50:31 -0400, "Ken Hornstein"
<kenh@cmf.nrl.navy.mil> said:
> >Is there a Heimdal equivalent to MIT Kerberos + Ken Hornstein's
> >monster-patch krb524d [1] --with-krb524-remapping option? I'm trying to
> >remap an old Kerberos 4 realm name to a new Kerberos 5 realm name as
> >described in the migration scenario here [2]. If there isn't I assume I
> >could use krb524d to replace some Heimdal functionality, but I'd like to
> >stick with pure Heimdal if at all possible. Specific Heimdal error I am
> >getting now is:
> 
> First off, it isn't a global remapping; it's done on a per-user basis.
> So I suspect that's not what you really want.
> 
> Secondly ... I would advise that you simply change the Kerberos realm
> of your AFS cell to match that of your V5 Kerberos realm.  You can do
> that by placing a Kerberos V4 config file in a magic location on
> your AFS servers (I forget the location, but I'm sure someone will
> remind me).  This will make using the Windows client problematic with
> the native (v4) authentication ... but the trend has been to go to V5,
> so if I were you, I'd just go with V5 on Windows.
> 
> --Ken
> 

                    
-- 
Daniel Joseph Barnhart Clark
http://www.pobox.com/users/dclark

References:
- Re: Remapping old Kerberos 4 realm name to new Kerberos 5 realm name
  - From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

Prev by Date: Re: Remapping old Kerberos 4 realm name to new Kerberos 5 realm name
Next by Date: user mapping error on Win2k
Prev by thread: Re: Remapping old Kerberos 4 realm name to new Kerberos 5 realm name
Next by thread: Re: Problem gssklog 0.9 - AFS K5
Index(es):
- Date
- Thread