Michael Pelletier <[EMAIL PROTECTED]> writes:
> I've been having some trouble getting my mind around the question of
> whether, in a new AFS cell deployment, to start off with an installation
> of MIT Kerberos.
The short version of my advice is "yes, a Kerberos V5 installation, and
start using the migration toolkit from the very beginning." In this
situation, you should be able to get away with only giving the migration
daemon and the kaserver the afs key, since the only thing that will need
to use K4 is AFS.
> I'd like to get to the point where I'd be able to deploy kerberized and
> encrypted telnet, rlogin, IMAP, ssh, VPN access, and so on, but I'm not
> clear on whether AFS's kaserver is sufficient for this.
AFS's kaserver is completely adequate for this, being a full-fledged
Kerberos V4 kdc, but you don't want to use Kerberos V4 in a new
installation. You want to start off with Kerberos V5, which is a
completely separate and incompatible protocol unfortunately.
> I get the impression that it's not sufficient, due to the fact that the
> ticket-granting-ticket is discarded after the AFS token is acquired...
One has to distinguish here between the AFS kaserver, which is the kdc,
and the applications that may come with it (which I've always completely
ignored in favor of either MIT Kerberos V4 or MIT Kerberos V5 with K4
compatibility clients and servers).
> Would I be better off with Kerberos 4 or 5 in the long run?
Definitely V5.
> Also, does the Kerberos realm have to match the DNS domain name of the
> machines in the realm?
No.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
