[OpenAFS] [Possibly OT] Implementing a KDC for OpenAFS

Madhusudan Singh singh.madhusudan@gmail.com
Sun, 22 May 2005 00:09:23 -0400


This query might be slightly off-topic, but it is related sufficiently to=20
OpenAFS for me to at least try getting some answers here.

questions for the KDC I intend to implement for our group's OpenAFS
server(s) :

1. Which is the better choice from the point of view of a Kerberos
authentication mechanism that fully integrates with OpenAFS (I will be
using Debian Sarge) - MIT or Heimdal ?

2. The group I administer servers for is a part of a much larger
organization which has its own realm and AFS setup. However, I want only a
subset of that organization (viz. my own group) to be authenticated for
access to our fileservers (which have FQDNs and are visible on the
Internet, running Slackware 10.1). Is it possible for me to get away
without implementing a KDC at all and just pass on the authentication
requests to the organization's KDC after ensuring that they belong to a
restricted subset of the users at my end ?

3. Let us assume that the answer to 2 above is no. In that case, is it
possible for me to hide the KDC completely from the Internet ( with class C
addresses) ? Let us assume the following topology :=20

=46ileserver (with a lot of hard disk space with two network interfaces - w=
network addresses - FQDN address and a class C address, say
=2D------- KDC server (a small amount of hard disk space with IP

All the clients would have dynamic IP addresses in the range that is outside
of the class C network (obtained from a DHCP server in the larger
organization I refered to in 2 above).

I guess I am asking if it is possible for the fileservers to "forward"
authentication requests in some fashion to a KDC that the clients know (and
can know) nothing about.

Or should the KDC be the machine that is visible on the Internet and the
fileservers have the class C addresses ?

Please bear with me - this is first time I am trying to set up a KDC and am
also totally new to kerberos administration. Any pointers to relevant
documentation would be greatly welcome.