[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: suggestion: move krb5 daemons to krb5-daemons subpackage



On Wed, 2004-11-24 at 02:44, Enrico Scholz wrote:

> It is impossible in the typical FC environment (2-3 hosts in a
> network, where one machine has 'www', 'ldap', 'imap', 'kerberos',
> 'db' alias-names). You will never get GSSAPI authentication with
> MIT kerberos running there.

I put "search <domain> ." in /etc/resolv.conf and can "telnet
<shortname>" just fine. Don't know about MITKRB though.

However, Kerberos is mostly useful for large installations. While basing
one of those on FC might not be a good idea, a single FC host should
still fit in there just as well as a RHEL host.

> I never said this... 

Ok, then. Sorry.

> Just, that the FC kerberos can not be set up
> correctly within a vanilla FC environment.

I doubt this...

> Yes, Heimdal seems to be far superior to MIT Kerberos. It supports
> replication and has better AFS support (although I do not know if this
> is still an issue with recent, krb5-based OpenAFS).

Nalin's new pam_krb5 minikafs should support krb5 with both OpenAFS 1.3
and Arla. It replaces the krb4-only krbafs RPM, which is based on code
that is shared between KTH-KRB (krb4) and Heimdal. (Yes, enabling krb5
in krbafs should only be a matter of using the right #defines, but I
don't think anything uses krbafs anymore.)

>  It is a puzzle why FC ships MIT Kerberos only...

I might get around to submitting my RPMs when Extras opens. Still, RH
has people in Boston, near MIT. I don't know if that matters.

> But I saw the man-page of BSD's implementation of kerberos... Support
> for TCP transport and tunneling over HTTP proxies... wow... I want to
> have this also...

I'm just glad I've never needed HTTP tunneling. :-)

/abo



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]