A few questions about implementing a KDC for OpenAFS - Kerberos

This is a discussion on A few questions about implementing a KDC for OpenAFS - Kerberos ; Hi I am going through the MIT Kerberos 5 Installation Guide, and have a few questions for the KDC I intend to implement for our group's OpenAFS server(s) : 1. Which is the better choice from the point of view ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: A few questions about implementing a KDC for OpenAFS

  1. A few questions about implementing a KDC for OpenAFS

    Hi

    I am going through the MIT Kerberos 5 Installation Guide, and have a few
    questions for the KDC I intend to implement for our group's OpenAFS
    server(s) :

    1. Which is the better choice from the point of view of a Kerberos
    authentication mechanism that fully integrates with OpenAFS (I will be
    using Debian Sarge) - MIT or Heimdal ?

    2. The group I administer servers for is a part of a much larger
    organization which has its own realm and AFS setup. However, I want only a
    subset of that organization (viz. my own group) to be authenticated for
    access to our fileservers (which have FQDNs and are visible on the
    Internet, running Slackware 10.1). Is it possible for me to get away
    without implementing a KDC at all and just pass on the authentication
    requests to the organization's KDC after ensuring that they belong to a
    restricted subset of the users at my end ?

    3. Let us assume that the answer to 2 above is no. In that case, is it
    possible for me to hide the KDC completely from the Internet ( with class C
    addresses) ? Let us assume the following topology :

    Fileserver (with a lot of hard disk space with two network interfaces - with
    network addresses - FQDN address and a class C address, say 192.168.0.1)
    -------- KDC server (a small amount of hard disk space with IP
    192.168.0.2).

    All the clients would have dynamic IP addresses in the range that is outside
    of the class C network (obtained from a DHCP server in the larger
    organization I refered to in 2 above).

    I guess I am asking if it is possible for the fileservers to "forward"
    authentication requests in some fashion to a KDC that the clients know (and
    can know) nothing about.

    Or should the KDC be the machine that is visible on the Internet and the
    fileservers have the class C addresses ?

    Please bear with me - this is first time I am trying to set up a KDC and am
    also totally new to kerberos administration. Any pointers to relevant
    documentation would be greatly welcome.

    MS

  2. Re: A few questions about implementing a KDC for OpenAFS

    Madhusudan Singh writes:

    > 1. Which is the better choice from the point of view of a Kerberos
    > authentication mechanism that fully integrates with OpenAFS (I will be
    > using Debian Sarge) - MIT or Heimdal ?


    Either will work, and I believe both have support in Debian already,
    although the configuration transcript that comes with the OpenAFS packages
    assumes MIT. The advantage of Heimdal is that it more natively supports
    pretending to be an OpenAFS kaserver, which is sometimes useful.

    > 2. The group I administer servers for is a part of a much larger
    > organization which has its own realm and AFS setup. However, I want only
    > a subset of that organization (viz. my own group) to be authenticated
    > for access to our fileservers (which have FQDNs and are visible on the
    > Internet, running Slackware 10.1). Is it possible for me to get away
    > without implementing a KDC at all and just pass on the authentication
    > requests to the organization's KDC after ensuring that they belong to a
    > restricted subset of the users at my end ?


    You can create PTS entries only for a limited set of users in your local
    Kerberos realm. Only users with PTS entries will be able to use their
    Kerberos tickets to get more than system:anyuser access to the AFS cell,
    if I recall correctly.

    > I guess I am asking if it is possible for the fileservers to "forward"
    > authentication requests in some fashion to a KDC that the clients know
    > (and can know) nothing about.


    Only if you use only the native K4 AFS protocol to do authentication,
    which definitely isn't the recommended configuration. If you use K5 for
    authentication, as is recommended, the clients need to talk directly to
    the KDC.

    --
    Russ Allbery (rra@stanford.edu)

+ Reply to Thread