[OpenAFS] Questions, vol 1.
Ray Link
rlink+@pitt.edu
Wed, 21 Jan 2004 14:26:22 -0500 (EST)
On Wed, 21 Jan 2004, Stephen Bosch wrote:
> Well, thanks for all this help. It is *most* appreciated. I am already
> learning that there *are* places where the documentation has holes, so
> I'm less inclined to beat up on myself.
Yes, the documentation has unfortunately lagged behind the development
of OpenAFS. There is a Wiki
(http://grand.central.org/twiki/bin/view/AFSLore/WebHome)
that contains a lot of information not included in the old Transarc/IBM
docs (mainly because many features weren't around then) plus a lot of
"tips & tricks" entries.
> Also, there is the chance (though slim) that some machines would have to
> be moved off-site, and I'd want those workstations to work properly if
> that were necessary.
That's the beauty of AFS. Since it's a global file system, you can access
your home directory (and the rest of your cell, and everyone else's cells)
from anywhere on the planet.
> > First, about your tokens. Are you running KerberosV + OpenAFS? I recommend
> > it.
>
> No, we're not -- this is just the stock OpenAFS. I suppose I'm going to
> have to learn Kerberos also? How difficult/easy is it to integrate a
> stand-alone Kerberos implementation with OpenAFS?
It is no longer recommended to implement new AFS cells with the included
kaserver (pre-standardization krb4, essentially), but to instead set up
a KerberosV realm if you don't already have one. Krb4/KA is sorely
outdated.
See http://grand.central.org/twiki/bin/view/AFSLore/KerberosAFSInstall
for a guide to setting up a new OpenAFS cell with KerberosV.
> > Last year I found that none of the stock pam_afs, pam_openafs, or
> > pam_krb5 modules ever succeeded in getting AFS tokens. I ended up using
> > pam_krb5 to get Kerberos tickets and pam_run to run 'aklog' to get AFS
> > tokens.
>
> Can you explain the difference between Kerberos tickets and AFS tokens
> to me? Doesn't one contain the other?
A token is derived from a ticket. AFS uses the token, and doesn't care
about the ticket. A nice benefit of this is that, as long as you can
derive a token from whatever your authentication system hands you, the
auth system can be the built-in kaserver, MIT K5, Heimdal K5, or a
mish-mash of IV and V for transitional periods.
==== Ray Link === University of Pittsburgh CSSD === rlink@pitt.edu ====
==== PGP/GPG Key: http://www.pitt.edu/~rlink/gpgkey.asc.txt ====
"Real programmers can write assembly code in any language."
-Larry Wall