Michael Pelletier <[EMAIL PROTECTED]> writes:
> Ahhh, I think get it now. So you can use klog.krb and use the stock
> kaserver included with AFS to support a Kerberos 4-based authentication
> scheme for AFS and other services, is that correct?
Yup.
Although what really works quite well is to grab the latest Kerberos V5
source and build it with the K4 backwards compatibility. Even kinit and
the like just works then. (Not that you want to do this, since you have
the option of going with K5 from the beginning.)
> Also, with respect to implementing a K5 realm, what sort of
> considerations should I take into account when choosing a machine to
> serve as the KDC? I know the FAQ 2.2 mentions that you can choose a
> small machine with very little CPU power and a small disk, but that
> usually precludes much in the way of hardware redundancy. Does the
> system of slave servers and failover work well enough that this becomes
> a non-issue?
You'll notice the delay when it falls over. The best analogy that I've
come up with is to think of it like listing multiple name servers in
/etc/resolv.conf. Yes, there's failover and the failover works, but you
still definitely notice it when the server listed first isn't reachable.
I *strongly* recommend listing CNAMEs in your krb5.conf files for your
clients, BTW, rather than the actual names of the machines. You want to
be able to move the CNAMEs between computers in DNS without having to
rename your systems. That way, if one of the servers goes down and will
be down for a while, you can just move the CNAME that your clients are
pointing at onto another one of the servers.
> Okay, that's good to know. It's sort of the other way around here - we
> were just purchased by another company, and we KNOW that we will, in the
> next 12-18 months, be changing the domain name and IP addresses of all
> our systems. But of course, nobody yet knows what the new domain name
> will be, who will control the DNS servers, and so on. So I figure what
> I'll do is make a good guess as to what the new domain name will be, and
> maybe it'll be satisfactory enough to the higher-ups that it will just
> stick and never need changing.
Sounds reasonable to me. :)
Various things work somewhat nicer if your realm name matches your DNS
domain name, particularly in relation to people from off-site contacting
your realm when they don't have the proper configuration files.
Basically, if your realm name matches your DNS name, some clients will be
able to figure out your realm and possibly your Kerberos servers in some
configurations without needing a configuration file. If your realm name
doesn't match your DNS name, you'll probably need a configuration file
entry anywhere that you want contact your realm from.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
