[OpenAFS] Kerberos with AFS

Peter Popovics pop@dtv.dk
Mon, 21 May 2001 17:17:30 +0200

I've been following the discussions here for a long time about AFS+Kerberos,
and it seems to be really hard to find the right answer for a "novice", from
the dozen of mails related to... Would be nice to have some kind of FAQ for
this problematic, but * really * from the approach of someone new for this
entire area... Some ideas (I've found these questions myself while doing the
migration/integration: would be nice from someone with a deeper knowledge to
respond them):

1. Why to use Kerberos with AFS? 
2. Why not to use AFS for authentication?
3. What is the principle of operation of an integrated krb5/afs
(This can be found in Ken's readme file...)
4. What implementation of Kerberos to use (Heimdal/MIT/W2K)? What's the
5. What is aklog/afslog ? Where are they derived from and what do they do?
6. What is the krbafs library?
7. What special configuration, maybe patches does kerberos need for AFS
integration? (key types...)
8. Then what is the klog.krb coming with afs?
9. There is a PAM module pam_krb5afs.so. What does it do then?
10. How do I integrate all these with PAM?
11. How to build openssh to forward both krb5 and afs tickets?
12. How does the krb5 ftp, telnet can support afs? (ftp-ing in an afs home
13. How to administer users in the integrated environment? (still need
14. How to distribute the user/group information (nss_ldap, radius and other

As you can see most of these questions are not closely related to OpenAFS,
but for a novice it's extremely hard to figure out the pointers for that
kind of "general" information... I think I would contribute to this kind of
FAQ, if there is someone else more familiar with the * correct * answers
than me.