--- /dev/null
+A list of [errors](http://www.central.org/pages/numbers/errors.html) can be found at [[GrandCentralOrg]].
+
+When using [[KerberosV]] an error of 19270408 probably means one of:
+
+- kvno in the [[KeyFile]] doesn't match that in the Kerberos database
+- [[KerberosVMIT]] krb524d not configured correctly
+- des3 key in the database for the "afs" principal.
+
+-- [[DerrickBrashear]] - 26 Nov 2002
### <a name="Create AFS Keys and Administrato"></a> Create AFS Keys and Administrators
+First you will need to create a principal "afs" or "afs/cell.name" in your [[KerberosV]] database. The latter is the preferred alternative, especially if you will support more than one [[AFSCell]] with a single [[KerberosRealm]].
+
+Your [[KerberosV]] realm must support krb524 for aklog to work, typically. [[KerberosVMIT]]:
+
+- set up krb524d. You will need to make sure your krb524d server host includes something like this in krb5.conf. Only one of the 2 entries should be needed for a realm, depending on how you did the setup in your [[KerberosV]] database.
+
+ [appdefaults]
+ afs_krb5 = {
+ REALM.NAME = {
+ afs = false
+ afs/cell.name = false
+ }
+ }
+
+[[HeimdalKTH]]:
+
+- kdc will service krb524 requests
+
Next we will create an AFS [[KeyFile]] and an administrator principal in the Kerberos database. The procedure for creating an AFS [[KeyFile]] depends on which [[KerberosV]] implementation you have chosen to use.
Things to remember about AFS [[KeyFile]]: they must contain a key using the des-cbc-crc encryption type and has the latest kvno in the Kerberos database.
In its current state, you have to manually log into your AFS cell through kinit and possibly aklog (explain aklog..., debugging using "tokens" etc). There are several methods to enable transparent login to both local resources (the machine itself) and AFS through a single password. See [[KerberosV]] and [[SettingUpAuthentication]] for some information.
--- [[JasonGarman]] - 05 Feb 2002
+-- [[JasonGarman]] - 05 Feb 2002 -- [[DerrickBrashear]] - 26 Nov 2002
--- /dev/null
+Someone should fill this in better. More information about Kerberos at <http://www.mit.edu/kerberos> . Kerberos v4 is supported natively by the AFS kaserver; The clients use a different wire protocol as well as modified tickets. A set of changes to use [[KerberosV]] (RFC1510) is in progress.
+
+-- [[TWikiGuest]] - 26 Nov 2002
The installation documentation on the [[OpenAFS]] web site unfortunately does not include any information on integrating AFS into a [[KerberosV]] realm. (Work on install document & gotchas page later)
+If you're using [[KerberosVMIT]] versions 1.2.6 or later, you'll need to add a section to krb5.conf on the krb524d host if you wish to continue using old-style [[KerberosIV]] ticket derived tokens.
+
+ [appdefaults]
+ afs_krb5 = {
+ REALM.NAME = {
+ afs = false
+ afs/cell.name = false
+ }
+ }
+
+Where REALM.NAME and cell.name are the names of your [[KerberosRealm]] and [[AFSCell]] respectively.
+
If you already have a working AFS cell using [[KaServer]], check out [[DerrickBrashear]]'s document for converting from the [[KaServer]] to [[HeimdalKTH]] [here](http://lost-contact.mit.edu/afs/net/project/afs32/andrew.cmu.edu/usr/shadow/ka2heim.txt): <file:/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt>
For now a few links... explanations to follow later:
--- /dev/null
+A binary file containing fixed-length records consisting of a [[KeyVersionNumber]] (kvno) and a 56 bit DES key.
+
+-- [[DerrickBrashear]] - 26 Nov 2002
--- /dev/null
+Monatomically increasing (in most cases) key version identifier which is incremented each time a principal changes keys (typically involving a change password operation)
+
+-- [[DerrickBrashear]] - 26 Nov 2002
- [[DisconnectedOperation]] provides the ability to use AFS while not connected to a network.
-- [[NestedGroups]] allows PTS groups to have other groups as members. Waiting for [[OpenAFS]] port.
+- [[NestedGroups]] allows PTS groups to have other groups as members. Code available, waiting for [[OpenAFS]] port.
-- [[FreeBSDPort]] -- Server ported. No cache manager support yet available.
+- [[FreeBSDPort]] -- Server ported. Cache manager available, not stable yet.
-- [[HPUX11Port|Main/HP-UX11Port]] -- Missing RX code reconstructed. Waiting on kernel header from HP. Contact [[DerrickBrashear]].
+- [[HPUX11Port|Main/HP-UX11Port]] -- Missing RX code reconstructed. Header needed, available from HP.
- [[NetBSDPort]] -- No timeline available.
-- [[OpenBSDPort]] -- In progress. No cache manager support yet available.
+- [[OpenBSDPort]] -- In progress. Cache manager available, not stable yet.
- [[AutoConf]] with automake too. In progress. Contact [[DerrickBrashear]].
- [[BetterServerPreferences]] allow selectable continuous or on-demand server preferences in clients based on available information about Rx connection round trip times instead of classful networking approach currently used. Contact [[DerrickBrashear]]. _Do this for vldb servers too, or is that a separate project? [[TedAnderson]]_
-- [[NFSTranslatorServer]] -- Create an AFS/NFS translator for [[OpenAFS]] because there were licensing issues with the code in the IBM/Transarc product. A shell of one for Solaris only is in the source tree but needs more work before it will be useful. Contact [[DerrickBrashear]]. Another approach is a user-mode implementation. Contact [[JeffreyHutzelman]].
+- [[NFSTranslatorServer]] -- Create an AFS/NFS translator for [[OpenAFS]] because there were licensing issues with the code in the IBM/Transarc product. A Solaris-only version will be supported with and after 1.2.8. Another approach is a user-mode implementation. Contact [[JeffreyHutzelman]].
- [[PartitionUUID]] -- Create partition UUIDs such that the vldb can be rapdily updated if a disk is moved from one machine to another. Contact [[DerrickBrashear]].
--- /dev/null
+- [[ComErrErrors]]
+- [[RPCCallNumbers]]
+- [[RxServices]]
+- [[RxKadAuthenticatorTypes]]
+
+-- [[DerrickBrashear]] - 26 Nov 2002