|
Since 1.3.50 OpenAFS for 32-bit Windows has included a version
of aklog.exe that supports a -4 option that performs a pure
Kerberos v4 service ticket acquisition. This functionality is not
present on 64-bit Windows because there are is not 64-bit
implementation of MIT Kerberos v4 (krbv4w32.dll). The MIT
Kerberos v4 implementation has not been under active development
since 2004 and over the course of the last several years every
Kerberos distribution has stopped shipping Kerberos v4. There has not been significant reason to remove this functionality from OpenAFS for Windows up to this point. The code was already written and (at least on 32-bit Windows) it continued to build. However, there are two significant changes to the OpenAFS code base that are going to make on-going inclusion of this functionality challenging: 1. In order to support the Heimdal Kerberos implementation on Windows as well as MIT Kerberos within the same binaries OpenAFS must switch to building against an implementation independent Kerberos SDK. This SDK does not contain any support for Kerberos v4. 2. There has been an on-going effort over the last several years to clean up the OpenAFS source tree and make more efficient use of the limited developer resources. As part of that effort, Simon Wilkinson and others have replaced the OpenAFS crypto and platform compatibility utility functions with the much better implementations found in the Heimdal hcrypto and roken libraries. The roken functionality interacts quite poorly with the MIT Kerberos for Windows headers. I know that there are still a number of sites (unfortunately) that are still relying on kaserver. I would assume that these sites do not install MIT Kerberos for Windows and therefore do not use the "aklog -4" functionality. Are there any sites left that are still using non-kaserver Kerberos v4 and which do install MIT Kerberos for Windows to obtain ticket granting tickets? I suspect there aren't because those sites would be jumping through hoops attempting to support 64-bit Windows. In any case, I propose that this functionality be removed in the coming months as part of the 1.6 series release. Any objections? Jeffrey Altman |
signature.asc
Description: OpenPGP digital signature
