[OpenAFS] A few questions

Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
03 Jul 2002 14:00:36 +0200

"Klaas Hagemann" <kerberos@northsailor.de> writes:
> 1. I am running MIT Kerberos V as authentication service and it works well
> with openafs and aklog. Do i really need the krb524d deamon?

The aklog talks to krb524 to convert a k5 ticket into a k4 ticket, IIRC. 

> 2. Do i really have to add all kerberos-users with pts createuser? the
> problem is not to create them, it is more to keep these databases in sync.

Not all. just those who should be able to use AFS in a non-anonymous
way.  Me too, I should write me some script to do so. There are these
'uss' command delivered with AFS, but these are not addapted to a krb5

> 3. Is the AFS communication between the servers and between client and
> server encrypted?

By default no. AFAIK, there is a clientside option for a weak
encryption of the payload data. Note however, that no passwords ever
travel over the line (kerberos!)

> 4. Lets say A is the Client, B is a Database Server and C is a fileserver. A
> wants from B a file being stored in C. How is the communication working?
> Does C sends the file or volume or whatever direct to A or first to B which
> sends it to C?

Please correct me if I'am wrong:

The client knows the volume of the requested doc by its filename and
the corresponding mount points. It then asks the volume location
server which file server houses that volume. The client then contacts
this server and passes(*) its token. The file server then decides
wether the token is sufficient to access that file, it therefore asks
the protection server. If all is right, the file server then issues a
lock (if necessary) for that file and passes its contents over to the

This seems overly complicated at first sight, but is a fairly scalable

(*) 'passes' is probably misleading. "Convinces the server that
alledged token is really available on the client side" would be more
correct, I think. 

> 5. Is there any chance to distribute a printing service using AFS?

I don't think so. AFS is a filesystem. It does not solve every problem
under the sun.  IIRC, LPRng can use krb5 tickets for printer access
and accounting. No need for AFS here. 

Martin Schulz                             schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe