On Fri, 2014-02-14 at 00:59 -0600, Andrew Deason wrote: > You don't need a DNS server (BIND), but you do need to pick a name for > the "AFS cell", and some people will recommend that having a real DNS > server can make things easier. The cell name is usually a DNS FQDN, but > it doesn't actually need to be related to anything in DNS, so you can > make something up if you want to. All guides I am aware of will require > a Kerberos KDC; in my opinion, a truly "minimal" setup would not require > one, but I don't think any guides let you skip that.
I will note that it's much easier to set up Kerberos in conjunction with DNS, since it really wants to derive both realm names and canonical hostnames from DNS. You *can* make it work without DNS but it's a bit trickier and requires more work on the Kerberos side, especially if Windows clients will be involved. > - Most guides will tell you to set up Kerberos 5 using the commands > 'asetkey' and a file called the KeyFile. Some people may tell you to > use a more modern mechanism using a file called 'rxkad.keytab' > instead. If you don't care much about security, it doesn't matter > which way you do, and all guides I am aware of currently use the > asetkey/KeyFile route (the rxkad.keytab thing is rather new). The Solaris guide is updated to use rxkad.keytab, and I've been poking at the Fedora one which is a bit dated. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
