A few questions about implementing a KDC for OpenAFS

[Russ Allbery]

Madhusudan Singh <spammers-go-here at spam.invalid> writes:

> 1. Which is the better choice from the point of view of a Kerberos
> authentication mechanism that fully integrates with OpenAFS (I will be
> using Debian Sarge) - MIT or Heimdal ?

Either will work, and I believe both have support in Debian already,
although the configuration transcript that comes with the OpenAFS packages
assumes MIT.  The advantage of Heimdal is that it more natively supports
pretending to be an OpenAFS kaserver, which is sometimes useful.

> 2. The group I administer servers for is a part of a much larger
> organization which has its own realm and AFS setup. However, I want only
> a subset of that organization (viz. my own group) to be authenticated
> for access to our fileservers (which have FQDNs and are visible on the
> Internet, running Slackware 10.1). Is it possible for me to get away
> without implementing a KDC at all and just pass on the authentication
> requests to the organization's KDC after ensuring that they belong to a
> restricted subset of the users at my end ?

You can create PTS entries only for a limited set of users in your local
Kerberos realm.  Only users with PTS entries will be able to use their
Kerberos tickets to get more than system:anyuser access to the AFS cell,
if I recall correctly.

> I guess I am asking if it is possible for the fileservers to "forward"
> authentication requests in some fashion to a KDC that the clients know
> (and can know) nothing about.

Only if you use only the native K4 AFS protocol to do authentication,
which definitely isn't the recommended configuration.  If you use K5 for
authentication, as is recommended, the clients need to talk directly to
the KDC.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>