On Thu, 28 Dec 2000, Michael Pelletier wrote:
> I've been having some trouble getting my mind around the question of
> whether, in a new AFS cell deployment, to start off with an installation
> of MIT Kerberos.
>
> I'd like to get to the point where I'd be able to deploy kerberized and
> encrypted telnet, rlogin, IMAP, ssh, VPN access, and so on, but I'm not
> clear on whether AFS's kaserver is sufficient for this. I get the
> impression that it's not sufficient, due to the fact that the
> ticket-granting-ticket is discarded after the AFS token is acquired... Is
> this correct?
It's not kaserver that discards the tgt, it's klog. If you replace klog
with klog.krb the tgt gets kept and you can subsequently use it to get
service tickets for other services.
> Would I be better off with Kerberos 4 or 5 in the long run?
Given the list of things you want to do I would say yes, absolutely.
Go with K5 and don't look back. kaserver is still K4 and it doesn't
appear(?) that IBM is planning to move it to K5 possibly ever.
Meanwhile the rest of the world is moving to K5 slowly but surely.
If you're just starting off, go with K5 now and you won't have to
migrate later when a compelling reason comes along.
> Also, does the Kerberos realm have to match the DNS domain name of the
> machines in the realm?
No. The realm is specified in a config file on the client. Current
thinking here is don't even bother making it match the DNS domain.
That way when the burrowcrats rename your organization and decide you
have to change the domain name to match, you won't be compelled to
change the realm name, too.
-Mitch
