AFS and kerberos

Russ Allbery rra at stanford.edu
Sat Jul 28 23:26:44 EDT 2007


Manahound Castalot <mr_castalot at yahoo.com> writes:

> You wrote that all of your hosts should now allow "either" K4 or K5,
> have you seen both work at the same time?

Sure, that's how most of our systems have been set up.  Still, all but the
latest builds allow either K4 or K5 logins via rlogin or rsh.  AFS's
aklog, however, does one or the other; we switched from KTH Kerberos's
afslog for K4 to the OpenAFS aklog which only does K5.

We never have, and won't ever, run the krb524d.

> Are you using openAFS or IBM's?  We're using IBM's on a decent scale
> with a smattering of open in mostly test cases.

We've used OpenAFS exclusively for many years.

> In an effort to increase file system security for NFS we're looking at
> using LDAP and Kerb5 to increase the number of groups users can be a
> part of and therefore increasing the granularity of the file systems
> using groups.  Today there are too many users who are already bumping
> against the 16 group limit so increasing that count as-is will not work.

What 16-group limit is that?

> All of our hosts are AFS clients, and therefore using K4 I think.  You
> made it sound as though IBM AFS can use K5 though.  I'm not the AFS
> admin so my understanding is a bit muddled.

I'm not sure if IBM AFS can do K5.  OpenAFS has been able to do K5 since
1.2.8 natively, and has included aklog since 1.4.0.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list