Using klog is deprecated and should be avoided, unless under very specific circumstances where only an AFS token is desired (e.g. for a remote cell).

Background

• kinit gets a Kerberos 5 TGT
• klog acquires an AFS token
• klog.krb gets an AFS tokens AND a Kerberos4 TGT

This set of tools require the user to type their password. To minimize this, functionality has often been merged:

• The "Heimdal" kinit by default does Kerberos5+4+AFS in one go
• "MIT" kinit can do Kerberos5+4 (with some options)
• at CERN, klog has long been an alias (or wrapper script) for klog.krb

Some "helper utilities" exists to convert between the various credentials:

• aklog uses an exisiting valid Kerberos5 TGT to get an AFS token
• afs5log does the same
• afslog uses an existing valid Kerberos4 TGT to get an AFS token
• krb524init uses an existing valid Kerberos5 TGT to get a Kerberos4 TGT

Currently at CERN kinit (from /usr/sue/bin, which usually comes very early in the PATH) actually is a shell script that invokes (MIT) kinit and afs5log - this provides Kerberos5+4+AFS credentials in one go.

The similar but older script for klog script now gives a warning. It has been suggested to instead have klog invoke kinit, to hide this transition from the users. We feel that the technical difference should rather be exposed, especially since kinit has interesting other options (it can for example "renew" an existing credential without asking for a password, this is not available with klog). Besides enabling such new functionality, we also expect users to better understand the underlying details, which allows us to troubleshoot issues much quicker.

One case in which to continue using the klog command would be to get AFS tokens only (no Kerberos tickets desired) for a remote AFS cell. In this case please use /usr/bin/klog directly, and not the SUE wrapper.