RX Kerberos 5 security class requirements of Kerberos library

Derrick J Brashear shadow at dementia.org
Tue Jan 2 14:15:21 EST 2007

On Tue, 2 Jan 2007, Sam Hartman wrote:

>    Jeffrey> Without krb5_generate_creds_with_keytab there are two
>    Jeffrey> alternatives that AFS can pursue:
>    Jeffrey> (1) AFS can use the keytab entry to query the KDC for a
>    Jeffrey> ticket for itself.  Doing so removes the ability of
>    Jeffrey> multiple AFS services on the same machine to communicate
>    Jeffrey> when the network connection goes down unless there is a
>    Jeffrey> KDC instance on the machine.
> I think that this is a far better design for AFS.

Convincing people to put a KDC on every machine? Assuming I believed it 
was a good idea, could existing propagation schemes even reasonable handle 
that? Telling people "your server which is geographically isolated cannot 
have even basic maintenance performed on it if you are network-isolated" 
isn't particularly desirable, and I'd not consider it viable.


More information about the krbdev mailing list