[OpenAFS] Future of AFS? Interesting Ideas!?

Benjamin Rodewald br@linuxfriendly.de
Mon, 6 Jan 2003 00:01:44 +0100

Hash: SHA1

On Sunday 05 January 2003 21:46, Ken Hornstein wrote:

> I wish Outlook _did_ do Kerberos; that's rather unfortunate, since
> MS even ships with Kerberos in the OS and they have no excuse.
> However, other than Outlook, things aren't bad.  Eudora and Mulberry
> both support Kerberos for POP/IMAP/SMTP, and so does the "Mail"
> app that ships with OS X.  These are real applications that are
> production quality, and our users seem to be happy with them.
The following Article (MS Technet) may be of interest to you:
You will still have to provide an AD-Domain for Exchange 2000 Servers but=
 I am=20
sure it should be possible to use a existing Kerberos installtion with th=
Domain (and maybe the information of article mentioned above).
It should also be easy to  etablish a trust relationship between a Kerber=
and AD domain (but this trust won`t be transitive).

> Now _this_, I don't understand at all.  LDAP isn't an authentication
> system.  When people say stuff like, "LDAP authentication", most
> of the time they really mean storing plaintext passwords in their
> LDAP database.  If you're just doing _that_, then Kerberos can do
> the same thing, and that actually has pretty good coverage.  That's
> not SSO in my book, but I don't see how that's any worse than LDAP.
You`re right. People often mean plaintext passwords stored in LDAP.
But imho the best solution is a kerberos installation with user informati=
stored in ldap.=20
I am not sure whether it is possible to logon to a unix box with only a=20
kerbereos ticket. Where would the uid/guid information come from??
Of course you could use NIS for uid/guid things to work, but I really hat=
e the=20
concepts of NIS - It`s flat!


- --=20
Benjamin Rodewald
 linuxfriendly.de - penguin empowered
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org