On Thu, 17 Mar 2011 16:05:53 -0500 "Boyd Stephen Smith Jr." <[email protected]> wrote:
> On 2011-03-17 14:53:37 Celejar wrote: > >> Already using Kerberos everywhere? If not, don't bother with AFS. I'm > >> not sure about Coda, but I think it is the same situation. > > > >Would you mind elaborating a bit? Are you talking about security, > >authentication, encryption? > > Kerberos is primarily authentication. It provides some information to > authorization systems built on top of it and has some small authorization > conventions for managing the domain. It uses encryption to enable the > authentication, but doesn't necessarily enforce any protocol-level encryption > on applications using it for authentication. > > From what I understand, permissions on files under AFS are not really handled > the way a "simple" UNIX filesystem is (uid/gid/perms in the inode, optional > acl extensions). Instead, files are owned and permissions granted based on > your Kerberos principal for the domain the AFS is in. Essentially, a > Kerberos > infrastructure is necessary to use AFS, at least a minimal one. And, with a > truly minimal Kerberos configuration, I don't think it would be any more > secure and probably more poorly performing than an equivalent NFS. Got it; thanks. I suppose I'll probably go with NFS, if for no other reason than than experience with linux has taught me that *all else being equal*, it's generally better to do what the masses are doing, as the likelihood of it Just Working, and of being able to get help and support, are much better that way. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
