[OpenAFS] A single cohesive network with Kerberos and AFS

Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
28 Jun 2001 10:08:02 +0200


Thomas Cherryhomes <thomasc@apogeemm.com> writes:

> Hi!
> 
> I've been lurking on this list for a while now, and have been slowly
> researching on how to glue together a network of UNIX, Windows, and
> MacOS clients using AFS and Kerberos. 
> 
> IT IS THE MOST IMPORTANT GOAL THAT I HAVE A SINGLE LOGIN WHICH GETS ME
> ANYWHERE ON THE REALM!!!

Yes, that's definitely desirable.

> I know that I can link together Kerberos v5 and AFS on UNIX/Linux/*BSD
> et al... (I keep getting conflicting answers ranging from I just have to
> use the pam_krb5afs.o module to I have, to use the kerberos v5 to v4
> ticket converter, to I have to use the AFS to Kerberos v5 Migration kit,
> which I've seen wide ranging opinions as to whether or not it would work
> with the latest krb5-1.2.2).... Is there any solution that WORKS ??? I
> don't care WHAT contortions I have to go through.

In fact, there truth in all of them... they are not as conflicting as
it seems.

For a mere Linux client station, it is sufficient to use the
pam_krbafs.o module (as far as authentication is concerned). This
module (under the hood) makes use of the kerberos 5 to 4 konverter
(the krb524 daemon, that need to be running on the kerberos server)

Setting up the server side, things are different. Then you will indeed
need the Migration kit to transfer the afs principal from the kerberos
to the afs server.


> As for the Windows and Mac.... 

I don't know about any of these, sorry.

> Also, after looking at the design of Kerberos and AFS, I wonder why more
> people don't use this combination, not only in larger networks, but
> medium to small size networks as well? It seems that once a proper mix
> of clients is found, this would be one hell of a solution.

Yes, sure. The problem is, that afs is - at the moment - not just
another krb5 aware service as lprng, sftp or the like. In fact, was
designed to provide all needed services under the sun, not just the
core business of decent file serving that I want to use it for. 
This makes the afs administration somewhat a world of its own. 


> Any help would be appreciated.. I am very new at this..and coming from
> the world of Public Key and SSL, etc... this is a bit opposite of what
> I'm used to. 

Since I had similar problems earlier this year, I started a web page
to collect some hints: 


http://www.mathematik.uni-karlsruhe.de/~schulz/Unix/afs/afs-krb5.html

Your contributions about your research and experiences would be welcome. 

Yours,
-- 
Martin Schulz                             schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe