A few questions about implementing a KDC for OpenAFS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

A few questions about implementing a KDC for OpenAFS

Geico Caveman-3
Hi

 I am going through the MIT Kerberos 5 Installation Guide, and have a few
questions for the KDC I intend to implement for our group's OpenAFS
server(s) :

1. Which is the better choice from the point of view of a Kerberos
authentication mechanism that fully integrates with OpenAFS (I will be
using Debian Sarge) - MIT or Heimdal ?

2. The group I administer servers for is a part of a much larger
organization which has its own realm and AFS setup. However, I want only a
subset of that organization (viz. my own group) to be authenticated for
access to our fileservers (which have FQDNs and are visible on the
Internet, running Slackware 10.1). Is it possible for me to get away
without implementing a KDC at all and just pass on the authentication
requests to the organization's KDC after ensuring that they belong to a
restricted subset of the users at my end ?

3. Let us assume that the answer to 2 above is no. In that case, is it
possible for me to hide the KDC completely from the Internet ( with class C
addresses) ? Let us assume the following topology :

Fileserver (with a lot of hard disk space with two network interfaces - with
network addresses - FQDN address and a class C address, say 192.168.0.1)
-------- KDC server (a small amount of hard disk space with IP
192.168.0.2).

All the clients would have dynamic IP addresses in the range that is outside
of the class C network (obtained from a DHCP server in the larger
organization I refered to in 2 above).

I guess I am asking if it is possible for the fileservers to "forward"
authentication requests in some fashion to a KDC that the clients know (and
can know) nothing about.

Or should the KDC be the machine that is visible on the Internet and the
fileservers have the class C addresses ?

Please bear with me - this is first time I am trying to set up a KDC and am
also totally new to kerberos administration. Any pointers to relevant
documentation would be greatly welcome.

MS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: A few questions about implementing a KDC for OpenAFS

Russ Allbery
Madhusudan Singh <[hidden email]> writes:

> 1. Which is the better choice from the point of view of a Kerberos
> authentication mechanism that fully integrates with OpenAFS (I will be
> using Debian Sarge) - MIT or Heimdal ?

Either will work, and I believe both have support in Debian already,
although the configuration transcript that comes with the OpenAFS packages
assumes MIT.  The advantage of Heimdal is that it more natively supports
pretending to be an OpenAFS kaserver, which is sometimes useful.

> 2. The group I administer servers for is a part of a much larger
> organization which has its own realm and AFS setup. However, I want only
> a subset of that organization (viz. my own group) to be authenticated
> for access to our fileservers (which have FQDNs and are visible on the
> Internet, running Slackware 10.1). Is it possible for me to get away
> without implementing a KDC at all and just pass on the authentication
> requests to the organization's KDC after ensuring that they belong to a
> restricted subset of the users at my end ?

You can create PTS entries only for a limited set of users in your local
Kerberos realm.  Only users with PTS entries will be able to use their
Kerberos tickets to get more than system:anyuser access to the AFS cell,
if I recall correctly.

> I guess I am asking if it is possible for the fileservers to "forward"
> authentication requests in some fashion to a KDC that the clients know
> (and can know) nothing about.

Only if you use only the native K4 AFS protocol to do authentication,
which definitely isn't the recommended configuration.  If you use K5 for
authentication, as is recommended, the clients need to talk directly to
the KDC.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...