[OpenAFS] A few questions

Klaas Hagemann kerberos@northsailor.de
Wed, 3 Jul 2002 14:30:40 +0200


Ok,

thanks for your quick answers.
Concerning the encryption, do i have to activate it on each client? or is
there any server operation to generally activate them?
Although there are no passwords sending over the network i do have to
encrypt any communication.

When i get a token using aklog, it is only vaild for one hour. Is it
possible to change this value?

Thanks, Klaas

----- Original Message -----
From: "Martin Schulz" <schulz@iwrmm.math.uni-karlsruhe.de>
To: <openafs-info@openafs.org>
Sent: Wednesday, July 03, 2002 2:00 PM
Subject: Re: [OpenAFS] A few questions


> "Klaas Hagemann" <kerberos@northsailor.de> writes:
> > 1. I am running MIT Kerberos V as authentication service and it works
well
> > with openafs and aklog. Do i really need the krb524d deamon?
>
> The aklog talks to krb524 to convert a k5 ticket into a k4 ticket, IIRC.
>
> > 2. Do i really have to add all kerberos-users with pts createuser? the
> > problem is not to create them, it is more to keep these databases in
sync.
>
> Not all. just those who should be able to use AFS in a non-anonymous
> way.  Me too, I should write me some script to do so. There are these
> 'uss' command delivered with AFS, but these are not addapted to a krb5
> environment.
>
> > 3. Is the AFS communication between the servers and between client and
> > server encrypted?
>
> By default no. AFAIK, there is a clientside option for a weak
> encryption of the payload data. Note however, that no passwords ever
> travel over the line (kerberos!)
>
> > 4. Lets say A is the Client, B is a Database Server and C is a
fileserver. A
> > wants from B a file being stored in C. How is the communication working?
> > Does C sends the file or volume or whatever direct to A or first to B
which
> > sends it to C?
>
> Please correct me if I'am wrong:
>
> The client knows the volume of the requested doc by its filename and
> the corresponding mount points. It then asks the volume location
> server which file server houses that volume. The client then contacts
> this server and passes(*) its token. The file server then decides
> wether the token is sufficient to access that file, it therefore asks
> the protection server. If all is right, the file server then issues a
> lock (if necessary) for that file and passes its contents over to the
> client...
>
> This seems overly complicated at first sight, but is a fairly scalable
> setup.
>
> (*) 'passes' is probably misleading. "Convinces the server that
> alledged token is really available on the client side" would be more
> correct, I think.
>
> > 5. Is there any chance to distribute a printing service using AFS?
>
> I don't think so. AFS is a filesystem. It does not solve every problem
> under the sun.  IIRC, LPRng can use krb5 tickets for printer access
> and accounting. No need for AFS here.
>
> Yours,
> --
> Martin Schulz
schulz@iwrmm.math.uni-karlsruhe.de
> Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math.
Modellbildung
> Engesser Str. 6, 76128 Karlsruhe
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info