On Feb 12, 2010, at 17:41 , J wrote:
Also, I see that I need port 88 open to authenticate, which on one hand makes sense since this is a Kerberos port. But most of the documentation I've read about AFS says I only need ports open in the 7000 range (specifically 7001) for minimal file server access, so I was wondering if I'm missing something there.
Most of the documentation is a little out of date; the "only ports in the 700[0-9]/UDP range" is from when AFS provided its own authentication (kaserver) and time services, but these days it's strongly preferred to use Kerberos (more secure; there are unfixable protocol-level flaws in the ancient Kerberos implementation used by kaserver) and NTP/SNTP (more accurate, and in a global network it's better for everyone to use a common global time reference), so servers should also expose 88/TCP (and sometimes 750/TCP, but you probably don't care) and all machines should use 123/UDP.
-- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] [email protected] system administrator [openafs,heimdal,too many hats] [email protected] electrical and computer engineering, carnegie mellon university KF8NH
PGP.sig
Description: This is a digitally signed message part
