From: Sam Hartman Date: Fri, 23 May 2003 16:33:58 +0000 (+0000) Subject: Document afs_krb5 appdefaults section X-Git-Tag: krb5-1.4-beta1~931 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=3169dd07d343347af64af1bb636f4534c02a1e30;p=krb5.git Document afs_krb5 appdefaults section Ticket: 1192 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15484 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/ChangeLog b/doc/ChangeLog index 786fb2ca2..18d239039 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,9 @@ +2003-05-22 Sam Hartman + + * admin.texinfo (appdefaults): Describe afs_krb5 + + * krb425.texinfo (AFS and the Appdefaults Section): Note about AFS and 2b tokens + 2003-05-13 Ken Raeburn * definitions.texinfo: Updated DefaultSupportedEnctypes. diff --git a/doc/admin.texinfo b/doc/admin.texinfo index a58cf5675..d35246911 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -610,6 +610,33 @@ The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the [realms] section. +A special application (afs_krb5) is used by the krb524 service +to know whether new format AFS tickets based on Kerberos 5 can be used +rather than the older format which used a converted Kerberos 4 ticket. +The new format allows for cross-realm authentication without +introducing a security hole. It is used by default. Older AFS +servers (before OpenAFS 1.2.8) will not support the new format. If +servers in your cell do not support the new format you will need to +add an @code{afs_krb5} relation to the @code{appdefaults} section. +The following config file shows how to disable new format AFS tickets +for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm. + +@smallexample +@group +[appdefaults] +afs_krb5 = @{ + EXAMPLE.COM = @{ + afs/afs.example.com = false + @} + @} + +@end group +@end smallexample + + + + + @node login, realms (krb5.conf), appdefaults, krb5.conf @subsection [login] diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo index c239b2f54..7a7a80862 100644 --- a/doc/krb425.texinfo +++ b/doc/krb425.texinfo @@ -17,7 +17,7 @@ @include definitions.texinfo @set EDITION 1.0 -@set UPDATED October 8, 1996 +@set UPDATED May 22, 2003 @finalout @c don't print black warning boxes @@ -101,6 +101,7 @@ nonstandard installations. @menu * libdefaults:: * realms (krb5.conf):: +* AFS and the Appdefaults Section:: @end menu @node libdefaults, realms (krb5.conf), krb5.conf, krb5.conf @@ -122,7 +123,7 @@ Specifies the location of the Kerberos V4 domain/realm translation file. Default is @value{DefaultKrb4Realms}. @end table -@node realms (krb5.conf), , libdefaults, krb5.conf +@node realms (krb5.conf), AFS and the Appdefaults Section, libdefaults, krb5.conf @subsection [realms] In the [realms] section, the following Kerberos V4 tags may be used: @@ -148,6 +149,21 @@ between the realms. @end table +@node AFS and the Appdefaults Section, , realms (krb5.conf), krb5.conf +@subsection AFS and the Appdefaults Section + +Many Kerberos 4 sites also run the Andrew File System (AFS). + +Modern AFS servers (OpenAFS > 1.2.8) support the AFS 2b token format. +This allows AFS to use Kerberos 5 tickets rather than version 4 +tickets, enabling cross-realm authentication. By default, the +@file{krb524d} service will issue the new AFS 2b tokens. If you are +using old AFS servers, you will need to disable these new tokens. +Please see the documentation of the @code{appdefaults} section of +@file{krb5.conf} in the Kerberos Administration guide. + + + @node kdc.conf, , krb5.conf, Configuration Files @section kdc.conf