[OpenAFS] A few questions
Derek Atkins
warlord@MIT.EDU
03 Jul 2002 08:44:15 -0400
"Klaas Hagemann" <kerberos@northsailor.de> writes:
> Ok,
>
> thanks for your quick answers.
> Concerning the encryption, do i have to activate it on each client? or is
> there any server operation to generally activate them?
You have to activate it on each client.
> Although there are no passwords sending over the network i do have to
> encrypt any communication.
You can encrypt as much as you want. That's always up to you.
> When i get a token using aklog, it is only vaild for one hour. Is it
> possible to change this value?
The token should be valid for as long as your KRB5 tickets are valid,
although there is the limitation of approximately a day.
> Thanks, Klaas
-derek
>
> ----- Original Message -----
> From: "Martin Schulz" <schulz@iwrmm.math.uni-karlsruhe.de>
> To: <openafs-info@openafs.org>
> Sent: Wednesday, July 03, 2002 2:00 PM
> Subject: Re: [OpenAFS] A few questions
>
>
> > "Klaas Hagemann" <kerberos@northsailor.de> writes:
> > > 1. I am running MIT Kerberos V as authentication service and it works
> well
> > > with openafs and aklog. Do i really need the krb524d deamon?
> >
> > The aklog talks to krb524 to convert a k5 ticket into a k4 ticket, IIRC.
> >
> > > 2. Do i really have to add all kerberos-users with pts createuser? the
> > > problem is not to create them, it is more to keep these databases in
> sync.
> >
> > Not all. just those who should be able to use AFS in a non-anonymous
> > way. Me too, I should write me some script to do so. There are these
> > 'uss' command delivered with AFS, but these are not addapted to a krb5
> > environment.
> >
> > > 3. Is the AFS communication between the servers and between client and
> > > server encrypted?
> >
> > By default no. AFAIK, there is a clientside option for a weak
> > encryption of the payload data. Note however, that no passwords ever
> > travel over the line (kerberos!)
> >
> > > 4. Lets say A is the Client, B is a Database Server and C is a
> fileserver. A
> > > wants from B a file being stored in C. How is the communication working?
> > > Does C sends the file or volume or whatever direct to A or first to B
> which
> > > sends it to C?
> >
> > Please correct me if I'am wrong:
> >
> > The client knows the volume of the requested doc by its filename and
> > the corresponding mount points. It then asks the volume location
> > server which file server houses that volume. The client then contacts
> > this server and passes(*) its token. The file server then decides
> > wether the token is sufficient to access that file, it therefore asks
> > the protection server. If all is right, the file server then issues a
> > lock (if necessary) for that file and passes its contents over to the
> > client...
> >
> > This seems overly complicated at first sight, but is a fairly scalable
> > setup.
> >
> > (*) 'passes' is probably misleading. "Convinces the server that
> > alledged token is really available on the client side" would be more
> > correct, I think.
> >
> > > 5. Is there any chance to distribute a printing service using AFS?
> >
> > I don't think so. AFS is a filesystem. It does not solve every problem
> > under the sun. IIRC, LPRng can use krb5 tickets for printer access
> > and accounting. No need for AFS here.
> >
> > Yours,
> > --
> > Martin Schulz
> schulz@iwrmm.math.uni-karlsruhe.de
> > Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math.
> Modellbildung
> > Engesser Str. 6, 76128 Karlsruhe
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available