[OpenAFS] Authorization Setup for AFS?

[James Graves]

Hello all,

I'm looking to implement OpenAFS later this year on some Linux boxen
(and maybe OpenBSD if a port becomes available).  I also may have to
incorporate a few Windows (NT 4.0 and/or 2000).

As I understand it, Kerberos only provides authentication, not
authorization.  This implies that other information (the user's full
name & unix ID, mail aliases, etc.) needs to be distributed via other
means.  I believe NIS is most commonly used, but I've heard LDAP
mentioned as well.

I administer a relatively small network, so entirely reimplementing the
existing authorization system (NIS) is reasonable.  I guess I'm asking
you all out there, "If you had to do it all over again, what would you
choose?"

I know that the biggest problem with NIS is that the encrypted passwords
are out in the open (discounting the non-standard shadow map
implementations), but that's solved by Kerberos.  Are there other
security issues with NIS that would warrant it's replacement?  I'm not
too familiar with LDAP, and I don't know how well it can be integrated
into a Linux environment.

Any suggestions would be appreciated.

Thanks,

James Graves

-- 
  "I've mastered every game in life except the most important one, life
  itself."  -- a quote for the new millenium.