Brian May <[EMAIL PROTECTED]> writes: > Ideally that would be "AFS environment that our users require".
> However, I would be happy is that was "AFS environment that will work > without recompilation of Debian packages". Right now, the AFS packages in Debian will work with either native K4 or with krb524, although the server support for native K4 isn't in Debian. > My preference would be native K5. > However, I get the impression that isn't yet possible with openafs in > Debian (unless I am badly confused). You're correct, although it's very close. It will be possible with the 1.4.1 release (and is almost possible right now but openafs-krb5 is too old; I'm waiting for the 1.4.1 release to retire the openafs-krb5 package and package aklog and asetkey with openafs). So it will be possible for etch. The aklog in openafs will also support krb524d. However, dropping KTH Kerberos loses the ability to work with native K4 easily because of afslog (klog would still be available, as would the PAM modules, but not something that worked from a K4 ticket cache). We're already building our own version of afslog for K4 at Stanford, though, so I'm not sure how much that would really impact anyone and what sites (if any) would be affected. > So if using krb524 works, then hopefully that would be OK. > (when I last tested it I couldn't get it to work with anything except > krb4 support in the KDC, but I may have been doing something wrong...) README.servers in the openafs-fileserver package explains how to set up OpenAFS with Kerberos v5 authentication via krb524d, and at least with the packages in sid it's been fairly well-tested. The setup scripts needed a bit of work that I just recently finished. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
