suggestion: move krb5 daemons to krb5-daemons subpackage
Alexander Boström
abo at kth.se
Wed Nov 24 10:38:55 UTC 2004
On Wed, 2004-11-24 at 02:44, Enrico Scholz wrote:
> It is impossible in the typical FC environment (2-3 hosts in a
> network, where one machine has 'www', 'ldap', 'imap', 'kerberos',
> 'db' alias-names). You will never get GSSAPI authentication with
> MIT kerberos running there.
I put "search <domain> ." in /etc/resolv.conf and can "telnet
<shortname>" just fine. Don't know about MITKRB though.
However, Kerberos is mostly useful for large installations. While basing
one of those on FC might not be a good idea, a single FC host should
still fit in there just as well as a RHEL host.
> I never said this...
Ok, then. Sorry.
> Just, that the FC kerberos can not be set up
> correctly within a vanilla FC environment.
I doubt this...
> Yes, Heimdal seems to be far superior to MIT Kerberos. It supports
> replication and has better AFS support (although I do not know if this
> is still an issue with recent, krb5-based OpenAFS).
Nalin's new pam_krb5 minikafs should support krb5 with both OpenAFS 1.3
and Arla. It replaces the krb4-only krbafs RPM, which is based on code
that is shared between KTH-KRB (krb4) and Heimdal. (Yes, enabling krb5
in krbafs should only be a matter of using the right #defines, but I
don't think anything uses krbafs anymore.)
> It is a puzzle why FC ships MIT Kerberos only...
I might get around to submitting my RPMs when Extras opens. Still, RH
has people in Boston, near MIT. I don't know if that matters.
> But I saw the man-page of BSD's implementation of kerberos... Support
> for TCP transport and tunneling over HTTP proxies... wow... I want to
> have this also...
I'm just glad I've never needed HTTP tunneling. :-)
/abo
More information about the devel
mailing list