[OpenAFS] some simple openafs questions

Faheem Mitha faheem@email.unc.edu
Thu, 24 Jul 2003 23:37:10 -0400 (EDT)


Thanks for the explanation. I think I understand what is going on better
now.

On Thu, 24 Jul 2003, Christian Ospelkaus wrote:

> > 2) I'm considering trying to install a Openafs server on a Debian
> >    machine. I am not completely clear from the documentation whether
> >    it is actually nececssary to install and configure kerberos
> >    (kerberos 5 seems to be the preferred version). Parts of the
> >    documentation suggest that one could use the `afs authentication
> >    system', whatever this is. Adding to my confusion is that the
> >    openafs debian packages openafs-dbserver and openafs-fileserver do
> >    not mention kerberos even as a recommends.
>
> Well, it all depends. If you want to set up a server, you can either join
> your University's AFS cell with your new server. This requires, however, that
> the UNC admins would completely trust you because you would have to install
> their AFS key on your server. I don't know how likely that is.

No, this is not my intention. I will have my own cell. If I was to join
the university cell (probably not an option), would setting up kerberos
not be necessary?

> Otherwise, you could start setting up your own cell. This will however
> involve setting up a Kerberos KDC; KV is indeed preferred - you can use
> Heimdal or MIT. Both are nicely packaged for Debian. Heimdal has the
> advantage that it can also provide support for V4 clients.

I've taken a look at Hartman's configuration-transcript.txt. It says

*****************************************************************
By default, Kerberos4 requests are allowed from principals that do not
require preauthentication.  This allows Kerberos4 services to exist while
requiring most users to use Kerberos5 clients to get their initial
tickets. These tickets can then be converted to Kerberos4 tickets.
Alternatively, the mode can be set to full, allowing Kerberos4 to get
initial tickets even when preauthentication would normally be required, or
to disable, which will disable all Kerberos4 support.

  d. disable  f. full  n. nopreauth

What Kerberos4 compatibility mode should be used? [n]
*****************************************************************

This configuration corresponds to MIT Kerberos. I'm not sure what this
means, but it seems to imply that krb4 client support does work in some
fashion.  I'm also not sure what preauthentication means. Should I set
this to full or nopreauth?

I do want klog to continue working with my server.

In any case, is there any other reason to prefer one implementation -
Heimdal vs MIT - versus the other?

> > If it is not necessary, is it still desirable to use kerberos?
>
> If you are setting up a new cell, you _really_ need it, either some K5
> (preferred), or the kaserver which is mentioned in the AFS documentation.

I take it this kaserver is a KRB 4 implementation? Is it part of openafs?
I can't see anything that looks like this in the openafs packages.

> > Does a tutorial for AFS server installation on Debian exist anywhere?
> > My impression is no.
>
> /usr/doc/openafs-fileserver/README.Debian from the openafs-fileserver
> package. When setting up a new cell, you will also need other packages. Below
> the list of packages installed on one of my file- and dbservers:
>
> openafs-client
> openafs-dbserver
> openafs-fileserver

> openafs-kpasswd

Isn't this one for kaserver, though?

> openafs-krb5
> openafs-modules-2. 1.2.9-0.woody1...
> openafs-modules-source...

> openafs-ptutil

This one doesn't seem to exist any longer.

                                                                Faheem.