So afs knows you're "admin" thru the "kinit admin" via aklog, and the
single DES key stuffing that takes place when one sets the afs keys up
takes care of authenticating the afs user to krb5 without having to
manually enter a password to krb5?
BTW thanks...
ted
Jeffrey Altman wrote:
ted cre
On Jan 27, 2006, at 11:59 AM, Douglas E. Engert wrote:
and update the /usr/afs/etc/UserList on the servers. I believe the
kaserver
admin is still required to use the k4 with the kaserver. But then
again if you
are using all Krb5 you don't need the kasrver.
If you're using kaserver, you set
ted creedon wrote:
1. Is the AFS service ticket the only thing needed to make an afs token?
Yes.
2. I.e. does pts handle all the afs permissions from then on?
Yes, the groups from AD in the PACD are AD specific and used only within
Windows. AFS has is own authz database and sets of group
ted creedon wrote:
> 1. Is the AFS service ticket the only thing needed to make an afs token?
yes
> 2. I.e. does pts handle all the afs permissions from then on?
yes
> 3. can "kinit admin" now authenticate to AD instead of a krb5 server?
this has been true since Windows started using Kerberos
1. Is the AFS service ticket the only thing needed to make an afs token?
2. I.e. does pts handle all the afs permissions from then on?
3. can "kinit admin" now authenticate to AD instead of a krb5 server?
thanks
tedc
Douglas E. Engert wrote:
ted creedon wrote:
What happens to non service ti
ted creedon wrote:
What happens to non service tickets?
Not sure what you mean. The user's PAC is added to the initial TGT for the user
then copied to service tickets and cross-realm TGTs and the service ticket for
AFS.
The NO_AUTH_REQUIRED bit would only be set on the account for the AFS
What happens to non service tickets?
tedc
Douglas E. Engert wrote:
From the article:
"New resolution for problems that occur when users belong to many groups"
http://support.microsoft.com/?kbid=327825
It looks like XP and W2003 no longer have a max_token_size limit, and
thus
the size of a ti
From the article:
"New resolution for problems that occur when users belong to many groups"
http://support.microsoft.com/?kbid=327825
It looks like XP and W2003 no longer have a max_token_size limit, and thus
the size of a ticket could now be above 12,000 bytes.
So for any sites that use Active