[OpenAFS] Basic newbie question...
Derek Atkins
warlord@MIT.EDU
23 Feb 2001 16:44:54 -0500
AFS uses Kerberos for authentication. OpenAFS provides it's own
Kerberos-like Server (KAServer) which you must use if you do not run
an MIT-style Kerberos KDC. You _MUST_ run either a normal Kerberos
KDC or the AFS KAServer.
The main benefit of using a real KDC instead of KAServer is that the
KAServer isn't really designed to do well in terms of providing
authentication for non-AFS services. So, if you want to use Kerberos
to authenticate other servers, then I would recommend you really use a
Kerberos KDC instead of KAServer.
The other thing to note is that KAServer is _ONLY_ Kerberos v4, which
is old and somewhat broken in a number of ways. Kerberos will give
you v5 capabilities which are more powerful and secure (for example,
you can use 3DES). There are a number of people who would tell you to
use a Kerberos KDC just to try to stamp out Kerberos v4 servers.
I hope this helps.
-derek
Corey Kovacs <ckovacs@DEPAUW.EDU> writes:
> --Boundary_(ID_sIYnilouv9n/GP2CSAsbvQ)
> Content-type: text/plain; charset=us-ascii
> Content-transfer-encoding: 7BIT
>
> This is going to sounds really dumb to all of you "in the know"
>
> but here goes... What is the difference between using AFS with
>
> kerberos, and without? It is my _basic_ understanding that AFS
>
> uses the same or similar methods to authenticate users. So what
>
> I am guessing is that the difference is that it can be incorporated
>
> if a kerberos system ius already in place. ie, you don't _need_
>
> kerberos.
>
> If the above assuption about not _needing_ kerberos is true, are
>
> their any benefits to using AFS _with_ kerberos?
>
> Also I want to set up AFS to do authentication and LDAP to
>
> handle authorization. Are their any real caveats to doing this?
>
> I am posting any questions directly redarding setting ldap up to
>
> the openldap list as it doesn't have anything to do with this list
>
> obviously, but if someone has/is doing this, I'd appreciate any info
>
> you can give me.
>
> Thanks!
>
> --
> Corey Kovacs "I know not with what weapons World War III
> Computer Science Dept. will be fought, but World War IV will be
> DePauw University. fought with sticks and stones."
> 765.658.4761 - Albert Einstein
>
>
>
> --Boundary_(ID_sIYnilouv9n/GP2CSAsbvQ)
> Content-type: text/html; charset=us-ascii
> Content-transfer-encoding: 7BIT
>
> <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
> <html>
>
> <pre>This is going to sounds really dumb to all of you "in the know"</pre>
>
> <pre>but here goes... What is the difference between using AFS with</pre>
>
> <pre>kerberos, and without? It is my _basic_ understanding that AFS</pre>
>
> <pre>uses the same or similar methods to authenticate users. So what</pre>
>
> <pre>I am guessing is that the difference is that it can be incorporated</pre>
>
> <pre>if a kerberos system ius already in place. ie, you don't _need_</pre>
>
> <pre>kerberos.</pre>
>
> <pre></pre>
>
> <pre>If the above assuption about not _needing_ kerberos is true, are</pre>
>
> <pre>their any benefits to using AFS _with_ kerberos?</pre>
>
> <pre></pre>
>
> <pre>Also I want to set up AFS to do authentication and LDAP to</pre>
>
> <pre>handle authorization. Are their any real caveats to doing this?</pre>
>
> <pre>I am posting any questions directly redarding setting ldap up to</pre>
>
> <pre>the openldap list as it doesn't have anything to do with this list</pre>
>
> <pre>obviously, but if someone has/is doing this, I'd appreciate any info</pre>
>
> <pre>you can give me.</pre>
>
> <pre></pre>
>
> <pre>Thanks!</pre>
>
> <pre></pre>
>
> <pre>--
> Corey Kovacs "I know not with what weapons World War III
> Computer Science Dept. will be fought, but World War IV will be
> DePauw University. fought with sticks and stones."
> 765.658.4761 - Albert Einstein</pre>
> </html>
>
> --Boundary_(ID_sIYnilouv9n/GP2CSAsbvQ)--
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo.cgi/openafs-info
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available