> Ahhh, I think get it now. So you can use klog.krb and use the stock
> kaserver included with AFS to support a Kerberos 4-based authentication
> scheme for AFS and other services, is that correct? I was working under
> the impression that the only reason you'd use klog.krb is if you were
> going to replace kaserver with MIT Kerberos.
Yes, with a small "but". There are some newer kaservers (latest
working kaserver known to me in this respect is 3.5-3.32, but that one
has other bugs) out there that have the litte bug which prevents them
to answer to kerberos (v4) questions correctly. Wanted you to know
that so that you won't be astonished later. I'd use another kdc than
the kaserver.
> you can choose a small machine with very little CPU power and a small
> disk, but that usually precludes much in the way of hardware redundancy.
> Does the system of slave servers and failover work well enough that this
> becomes a non-issue?
The redundancy at our site(s) lies in multiple small servers with
hardware of such a kind that it is very usual and cheap and you have
more than one of the same kind at your site anyway. As the KDC is your
primary security point, choose an OS that you know you can close up
tight (no services but kdc, no login but console ...) Btw, I'd make my
backups of the kdc database to some media mounted locally on the
primary kdc or just keep my fingers crossed that I won't get a
corrupted database from a primary if the primary's disk goes bad.
Depends on how many users you have of course. But now we are drifting
a bit from the AFS theme here.
> Keep your fingers crossed for me!
Good luck,
Harald.
