[OpenAFS] Basic newbie question...

Derrick J Brashear shadow@dementia.org
Fri, 23 Feb 2001 17:30:37 -0500 (EST)

On 23 Feb 2001, Derek Atkins wrote:

> AFS uses Kerberos for authentication.  OpenAFS provides it's own
> Kerberos-like Server (KAServer) which you must use if you do not run
> an MIT-style Kerberos KDC.  You _MUST_ run either a normal Kerberos
> KDC or the AFS KAServer.
> The main benefit of using a real KDC instead of KAServer is that the
> KAServer isn't really designed to do well in terms of providing
> authentication for non-AFS services.  So, if you want to use Kerberos
> to authenticate other servers, then I would recommend you really use a
> Kerberos KDC instead of KAServer.

Actually while I would not recommend a kaserver, it does just fine as a
Kerberos v4 KDC; It's just not integrated with e.g. kpasswd and kadmin,
and there are at least 2 fake v4 kadminds that will allow v4 kpasswd
clients to work with a kaserver.

> The other thing to note is that KAServer is _ONLY_ Kerberos v4, which
> is old and somewhat broken in a number of ways.  Kerberos will give
> you v5 capabilities which are more powerful and secure (for example,
> you can use 3DES).  There are a number of people who would tell you to
> use a Kerberos KDC just to try to stamp out Kerberos v4 servers.

This, however, is a good reason to set up a Kerberos v5 KDC and use it to
service your AFS needs.