On Thu, 28 Dec 2000, Mitch Collinsworth wrote:
> It's not kaserver that discards the tgt, it's klog. If you replace klog
> with klog.krb the tgt gets kept and you can subsequently use it to get
> service tickets for other services.
Ahhh, I think get it now. So you can use klog.krb and use the stock
kaserver included with AFS to support a Kerberos 4-based authentication
scheme for AFS and other services, is that correct? I was working under
the impression that the only reason you'd use klog.krb is if you were
going to replace kaserver with MIT Kerberos.
> > Would I be better off with Kerberos 4 or 5 in the long run?
>
> Given the list of things you want to do I would say yes, absolutely. Go
> with K5 and don't look back. kaserver is still K4 and it doesn't
> appear(?) that IBM is planning to move it to K5 possibly ever.
> Meanwhile the rest of the world is moving to K5 slowly but surely. If
> you're just starting off, go with K5 now and you won't have to migrate
> later when a compelling reason comes along.
Makes sense, thanks for the info! Also, with respect to implementing a K5
realm, what sort of considerations should I take into account when
choosing a machine to serve as the KDC? I know the FAQ 2.2 mentions that
you can choose a small machine with very little CPU power and a small
disk, but that usually precludes much in the way of hardware redundancy.
Does the system of slave servers and failover work well enough that this
becomes a non-issue?
> > Also, does the Kerberos realm have to match the DNS domain name of the
> > machines in the realm?
>
> No. The realm is specified in a config file on the client. Current
> thinking here is don't even bother making it match the DNS domain. That
> way when the burrowcrats rename your organization and decide you have to
> change the domain name to match, you won't be compelled to change the
> realm name, too.
Okay, that's good to know. It's sort of the other way around here - we
were just purchased by another company, and we KNOW that we will, in the
next 12-18 months, be changing the domain name and IP addresses of all our
systems. But of course, nobody yet knows what the new domain name will be,
who will control the DNS servers, and so on. So I figure what I'll do is
make a good guess as to what the new domain name will be, and maybe it'll
be satisfactory enough to the higher-ups that it will just stick and never
need changing. Keep your fingers crossed for me!
-Michael Pelletier.
