[OpenAFS] some simple openafs questions
Christian Ospelkaus
christian@core-coutainville.org
Fri, 25 Jul 2003 09:59:38 +0200
> No, this is not my intention. I will have my own cell. If I was to join
> the university cell (probably not an option), would setting up kerberos
> not be necessary?
Not a KDC.
> > Otherwise, you could start setting up your own cell. This will however
> > involve setting up a Kerberos KDC; KV is indeed preferred - you can use
> > Heimdal or MIT. Both are nicely packaged for Debian. Heimdal has the
> > advantage that it can also provide support for V4 clients.
>
> I've taken a look at Hartman's configuration-transcript.txt. It says
>
> *****************************************************************
> By default, Kerberos4 requests are allowed from principals that do not
> require preauthentication. This allows Kerberos4 services to exist while
> requiring most users to use Kerberos5 clients to get their initial
> tickets. These tickets can then be converted to Kerberos4 tickets.
> Alternatively, the mode can be set to full, allowing Kerberos4 to get
> initial tickets even when preauthentication would normally be required, or
> to disable, which will disable all Kerberos4 support.
>
> d. disable f. full n. nopreauth
>
> What Kerberos4 compatibility mode should be used? [n]
> *****************************************************************
>
> This configuration corresponds to MIT Kerberos. I'm not sure what this
> means, but it seems to imply that krb4 client support does work in some
> fashion. I'm also not sure what preauthentication means. Should I set
> this to full or nopreauth?
I think the default is OK.
> I do want klog to continue working with my server.
>
> In any case, is there any other reason to prefer one implementation -
> Heimdal vs MIT - versus the other?
If you compile applications with Kerberos support yourself, this may be
easier with the MIT version. You need to distinguish between the KDC and the
client programs. As far as I know, a Heimdal KDC has the advantage that it
can also provide you with Kerberos 4 backwards compatibility.
On the client side, the Heimdal programs provide excellent AFS integration.
For example, if I do a kinit, I get a V5 ticket, and it also transparently
gets an afs token. With MIT, you need to do a kinit to get a V5 ticket, and
then aklog from the openafs-krb5 package to obtain a token. I use a
configuration with a Heimdal KDC, the Heimdal client programs, the
libpam-krb5 PAM module (compiled against MIT libraries) for Kerberos
authentication at login and the libpam-openafs-session module for token
grabbing at login.
Note that in order to make it all work that way, heimdal needs to be compiled
with AFS and kth-krb4 (which is the case with the Debian packages).
> I take it this kaserver is a KRB 4 implementation? Is it part of openafs?
> I can't see anything that looks like this in the openafs packages.
It is Kerberos 4. I can't find it in the packages either. But it is part of
the sources of openafs.
> Isn't this one for kaserver, though?
Yes, and it is not installed on my box. I just also pasted the lines starting
with "un" from the output of dpkg -l openafs*
> > openafs-ptutil
>
> This one doesn't seem to exist any longer.
See above. Best regards,
Christian