[OpenAFS] getting (re)started on debian

Russ Allbery rra@stanford.edu
Fri, 24 May 2013 14:16:15 -0700


Benjamin Kaduk <kaduk@MIT.EDU> writes:

> As far as a KDC goes, Debian's default is the MIT code (disclosure: my
> employer).  I expect you'd need to be doing something reasonably unusual
> for there to be a reason to pick one of Heimdal and MIT over the other,
> other than personal preference.

I would say that Debian doesn't have a default KDC, in the sense that
nothing is going to make assumptions about or install a particular KDC.
Both the MIT Kerberos KDC and the Heimdal KDC are present and usable, and
Debian doesn't particularly care or recommend which one you use.  However,
the OpenAFS documentation has an example of a complete setup from scratch
including setting up an MIT Kerberos KDC, and doesn't have a corresponding
piece of documentation for Heimdal.

MIT Kerberos is indeed Debian's default *client library*, and all software
in Debian that uses Kerberos is built against the MIT Kerberos client
libraries by default.

For most purposes, the MIT Kerberos and Heimdal KDCs are both fine and
would both work without any issues.  However, I will note that the
incremental propagation implementation in Heimdal (for synchronizing
multiple KDCs) is still significantly less buggy the MIT Kerberos
implementation, although the latter has made great strides in the past two
years.

(Stanford used to use MIT Kerberos for our KDC implementation and switched
to Heimdal some years back.  Some, but not all, of the reasons for that
switch at the time have since been remedied in MIT Kerberos.  Most of the
remaining reasons are fairly obscure and are related to our desire to
customize the KDC code rather than run a stock KDC.)

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>