>> The _real_ issue comes up with AFS compatibility. You need to salt the
>> password with the correct realm name ... and that ends up being tricky.
>> Maybe part of this guy's problem was that his AFS cell name didn't
>> match his Kerberos realm name, so perhaps I'm overstating the problem.
>> But it _does_ make things harder; believe me, I'd try to avoid it
>> if at all possible.
>
>Ok, so then what happens when you have to change your DNS name down
>the road? If you then change your kerb realm to match, won't that
>force a flag day for password changes?
In _theory_ (but I don't know anyone that tried it) the alternate salt
stuff should work for V5 passwords (but with AFS passwords, you're
screwed big time).
If you have to change your realm name, you are in for lots of pain. If
we changed our DNS domain name, I doubt I'd change our realm. But
there were a few people who said, "Oh, sure, go ahead ... it doesn't
even matter if they're not even close!". I'm just saying that in my
opinion IT DOES MATTER, and if you can avoid it, you're doing yourself
a favor. If you can't avoid it, then you can make it work ... but it's
not completely trivial.
I do remember from my experiences in this matter that there were a bunch
of little annoying things that kept cropping up. Unfortunately, I don't
have much documentation for this. I'm just speaking as someone who's
seen it from both sides ... take my advice with as many grains of salt
as you feel appropriate.
--Ken
