Martin Schulz
28 Jun 2001

Thomas Cherryhomes writes:

> Hi!
> I've been lurking on this list for a while now, and have been slowly
> researching on how to glue together a network of UNIX, Windows, and
> MacOS clients using AFS and Kerberos. 

Yes, that's definitely desirable.

> I know that I can link together Kerberos v5 and AFS on UNIX/Linux/*BSD
> et al... (I keep getting conflicting answers ranging from I just have to
> use the pam_krb5afs.o module to I have, to use the kerberos v5 to v4
> ticket converter, to I have to use the AFS to Kerberos v5 Migration kit,
> which I've seen wide ranging opinions as to whether or not it would work
> with the latest krb5-1.2.2).... Is there any solution that WORKS ??? I
> don't care WHAT contortions I have to go through.

In fact, there truth in all of them... they are not as conflicting as
it seems.

For a mere Linux client station, it is sufficient to use the
pam_krbafs.o module (as far as authentication is concerned). This
module (under the hood) makes use of the kerberos 5 to 4 konverter
(the krb524 daemon, that need to be running on the kerberos server)

Setting up the server side, things are different. Then you will indeed
need the Migration kit to transfer the afs principal from the kerberos
to the afs server.

> As for the Windows and Mac.... 

I don't know about any of these, sorry.

> Also, after looking at the design of Kerberos and AFS, I wonder why more
> people don't use this combination, not only in larger networks, but
> medium to small size networks as well? It seems that once a proper mix
> of clients is found, this would be one hell of a solution.

Yes, sure. The problem is, that afs is - at the moment - not just
another krb5 aware service as lprng, sftp or the like. In fact, was
designed to provide all needed services under the sun, not just the
core business of decent file serving that I want to use it for. 
This makes the afs administration somewhat a world of its own. 

> Any help would be appreciated.. I am very new at this..and coming from
> the world of Public Key and SSL, etc... this is a bit opposite of what
> I'm used to. 

Since I had similar problems earlier this year, I started a web page
to collect some hints: 


Your contributions about your research and experiences would be welcome. 

