Note: I'm the author of the AFS-Kerberos 5 migration kit, and I'm obviously
biased. So take that into account.
>I have seen DCE/DFS referred to on this list as a "monstrosity" or
>something similar. Can anyone share with me reasons for staying away
>from it? The main advantages I can see in DFS over AFS are better
>(IMHO) ACLs, and scheduled 'vos release's.
The people I've talked to had the following complaints about DCE/DFS:
- Expensive. For us, the price quoted was 10x the cost of our AFS site
license. But that looks like that's being "fixed" (by the recent jacking
up of the AFS license cost).
- Complicated. Administration of DCE/DFS was a LOT more work than AFS/krb5.
But that's only what I've heard from people.
- Poor OS coverage.
- Lagging behind in the Kerberos 5 world.
>Second, how painful is a migration from straight AFS to AFS+krb5?
The migration kit covers this in detail; I don't think it's very painful,
especially considering the fact that unless you did something "funky" with
your cell (like mix v4 & AFS salted keys indiscriminately) you can migrate
your user base over without requiring mass password changes. This was NOT
possible with DCE/DFS the last time I asked about it.
>Third, is there any merit to my boss's very abstract idea that an
>"integrated security environment" such as DCE/DFS fills in cracks
>better than AFS+krb5? My personal feeling is that krb5 itself is
>quite integrated and solid, and AFS is built with kerberos in mind.
>But, I'm wondering if some of you could back me up with more
>information or tell me I'm wrong and why.
Well ... to give DCE credit, they have one piece that Kerberos 5 lacks,
and that is an authorization server. Not only can DCE answer the question,
"Who are you?" (via Kerberos), but it can also answer the question,
"What are you allowed to do?" (similar to what the ptserver does for
AFS). So a simple look at DCE would APPEAR to make it a "more integrated
security environment".
However ... I don't believe that's the whole story. You actually need to
write to the DCE API to make use of the authorization service. Yes, DCE
provides a GSSAPI interface which is starting to be used by people, but
to use the authorization service you need to make DCE-specific calls.
In my conversations with people who had DCE experience, this is where the
real cost of DCE comes into play. Getting vendors to adopt DCE (when it
appears that the DCE market isn't exactly expanding) is difficult,
especially when they're dragging to adopt Kerberos 5. And while you can
use your DCE servers as Kerberos 5 KDCs, if _all_ you're doing is just
serving up Kerberos 5 requests, I think it's a big waste of money.
Let me put it in perspective - The price that we were quoted for DCE/DFS
would have paid my billable-rate salary for approximately 7 years. We
instead did all of the work of migrating to Kerberos 5, and that took
me approximately a year of work (counting all the time to understand
everything and gather all of the code), _and_ we had a less painful
migration than we would have with DCE.
--Ken
