AFS and kerberos

[Faeandar]

On Sat, 28 Jul 2007 20:26:44 -0700, Russ Allbery <rra at stanford.edu>
wrote:

>Manahound Castalot <mr_castalot at yahoo.com> writes:
>
>> You wrote that all of your hosts should now allow "either" K4 or K5,
>> have you seen both work at the same time?
>
>Sure, that's how most of our systems have been set up.  Still, all but the
>latest builds allow either K4 or K5 logins via rlogin or rsh.  AFS's
>aklog, however, does one or the other; we switched from KTH Kerberos's
>afslog for K4 to the OpenAFS aklog which only does K5.
>
>We never have, and won't ever, run the krb524d.
>
>> Are you using openAFS or IBM's?  We're using IBM's on a decent scale
>> with a smattering of open in mostly test cases.
>
>We've used OpenAFS exclusively for many years.
>
>> In an effort to increase file system security for NFS we're looking at
>> using LDAP and Kerb5 to increase the number of groups users can be a
>> part of and therefore increasing the granularity of the file systems
>> using groups.  Today there are too many users who are already bumping
>> against the 16 group limit so increasing that count as-is will not work.
>
>What 16-group limit is that?

The one is Solaris and Linux.  Maybe Linux is 32, I don't know for
sure.
I hear that a system change on Solaris will allow for 32 but unless
your NFS servers are Solaris you break NFS.

I'm looking into increasing file system security over NFS and was
initially leaning towards kerb5 with LDAP to allow for a greater
number of unix groups, and therefore greater access control (beyond 16
groups) even if it is still ugo.
But so far I'm doubtful that will work.

Thanks.

~F