>While it is true that these tools exist, I would not agree that there's no
>progree to be made! The afs-krb5 migration kit is quite handy (we've
>been using it for several years now--thanks Ken and Doug!) it does have
>shortcomings. It isn't for the faint-of-heart to compile or configure, and
>the newest revision of kerberos 5 that it will work with is v1.0.6, which
>has significant security problems--fixed in the newest versions.
I know, I know ... the _patch_ for the distribution is old and crusty, but
the rest of it should be okay (I know that the database converter has a
bug, but someone sent me a patch for it). Updating that stuff should
happen this summer. But aklog and fakeka should work just fine with any
newer Kerberos distribution.
>(We also
>have an issue where Windows clients fail miserably when authenticating
>against our krb5-bastardized AFS cell, but the lack of discussion of this
>issue leads me to believe that this is either a local problem or else very
>few sites are actively using the migration kit).
Are you using the native tools for authentication? The problem (which
actually has been discussed many times here) is that the Windows client
doesn't use the rxkad-based authentication protocol, but does Kerberos V4
to the database servers (as far as we can tell, no one really knows _why_
this is, but there you have it).
You can do one of the following things:
- Use a windows aklog
- Add your V5 KDCs to your list of database servers on your windows clients.
--Ken