Using klog is deprecated and should be avoided, unless under very specific circumstances where only an AFS token is desired.

Background

• kinit gets a Kerberos 5 TGT
• klog acquires an AFS token
• klog.krb gets an AFS tokens AND a Kerberos4 TGT

Some "helper utilities" exists to convert between the various credentials:

• aklog uses an exisiting valid Kerberos5 TGT to get an AFS token
• afs5log does the same
• afslog uses an existing valid Kerberos4 TGT to get an AFS token
• krb524init uses an existing valid Kerberos5 TGT to get a Kerberos4 TGT

The first set of tools require the user to type their password. To minimize this, functionality has often been merged:

• The "Heimdal" kinit can do Kerberos5+4+AFS in one go
• "MIT" kinit can do Kerberos5+4 (with some options)
• at CERN, klog has long been an alias to klog.krb

Currently at CERN kinit (from /usr/sue/bin, which usually comes very early in the PATH) actually is a shell script that invokes (MIT) kinit and afs5log - this provides Kerberos5+4+AFS credentials in one go. A similar shell for klog script now gives a warning.

It has been suggested to instead have klog invoke kinit, to hide this transition from the users. We feel that the technical difference should rather be exposed, especially since kinit has interesting other options (it can for example "renew" an existing credential without asking for a password, this is not available with klog). This way, we expect users to better understand the underlying details, which allows us to troubleshoot issues much quicker.