[OpenAFS] Basic newbie question...
Derrick J Brashear
shadow@dementia.org
Fri, 23 Feb 2001 17:30:37 -0500 (EST)
On 23 Feb 2001, Derek Atkins wrote:
> AFS uses Kerberos for authentication. OpenAFS provides it's own
> Kerberos-like Server (KAServer) which you must use if you do not run
> an MIT-style Kerberos KDC. You _MUST_ run either a normal Kerberos
> KDC or the AFS KAServer.
>
> The main benefit of using a real KDC instead of KAServer is that the
> KAServer isn't really designed to do well in terms of providing
> authentication for non-AFS services. So, if you want to use Kerberos
> to authenticate other servers, then I would recommend you really use a
> Kerberos KDC instead of KAServer.
Actually while I would not recommend a kaserver, it does just fine as a
Kerberos v4 KDC; It's just not integrated with e.g. kpasswd and kadmin,
and there are at least 2 fake v4 kadminds that will allow v4 kpasswd
clients to work with a kaserver.
> The other thing to note is that KAServer is _ONLY_ Kerberos v4, which
> is old and somewhat broken in a number of ways. Kerberos will give
> you v5 capabilities which are more powerful and secure (for example,
> you can use 3DES). There are a number of people who would tell you to
> use a Kerberos KDC just to try to stamp out Kerberos v4 servers.
This, however, is a good reason to set up a Kerberos v5 KDC and use it to
service your AFS needs.
-D