We found the following concepts realy usefull during installation, setup and usage
- Google It has much information how to setup But I never find the fully complete hwoto We used several ones - afs-uid = ldap-uid It's not a requirment but it's less confusing if unix user names correspponds to afs - do authenticate only via kerberos (no ldap auth) This gives single point of control of it - use SASL gssapi as much as possible instead of direct kerberos support This will simplify configuration and make an unified environment independent of kerb implementation - we recommend Heimdal kerberos for server and client Mostly becouse of native afs support, it will simplify kerberos integration with PAM and other type of logins such as login, ssh... Etc For example you will get afs ticket just right after kerberos ticket without additional efforts - use Heimdal with kerb5 support only Althougth Heimdal kdc may emulate kaserver but them you should use krb4 version It's not really necessary After afs principal has been specially created without des3-cbc-sha1 and exported to afs keyfile there is no need to support kaserver This will simplify administration and keep environment more secure since there is krb4 - use PAM for client using pam_krb5 and pam_openafs_session - integrate the nss_ldap into client and server systems - think about kerberizeing all possible user services(not only file system) For example: login, ssh, gdm, ldap, proxy, web, etc... In other words everything that user might use Sometines it will require recompilation but don't be afraid of this. - be prepared openAFS kernel module sometimes is not so stable on linux platform For example: slocate (updatedb) Finally We see no real problems implementing of such configuration. It's all in few words... **** Hi! Just a quick question: I want to setup the new system with ldap for users/groups/autofs, krb5 for auth and OpenAFS for most of the filesystem. E.G. in daily work the passwords are in Krb5 and only the path of the homedir is taken from ldap, while all data are on OpenAFS. Are there any errors to expect? E.G. passwords - while user can change there passwords on Krb5 the passwords are not changed in ldap - user with 2 passwd could login. I think I have to disable passwords via ldap. Any more? Cya Lars _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
