On Wed, 2004-11-24 at 02:44, Enrico Scholz wrote: > It is impossible in the typical FC environment (2-3 hosts in a > network, where one machine has 'www', 'ldap', 'imap', 'kerberos', > 'db' alias-names). You will never get GSSAPI authentication with > MIT kerberos running there. I put "search <domain> ." in /etc/resolv.conf and can "telnet <shortname>" just fine. Don't know about MITKRB though. However, Kerberos is mostly useful for large installations. While basing one of those on FC might not be a good idea, a single FC host should still fit in there just as well as a RHEL host. > I never said this... Ok, then. Sorry. > Just, that the FC kerberos can not be set up > correctly within a vanilla FC environment. I doubt this... > Yes, Heimdal seems to be far superior to MIT Kerberos. It supports > replication and has better AFS support (although I do not know if this > is still an issue with recent, krb5-based OpenAFS). Nalin's new pam_krb5 minikafs should support krb5 with both OpenAFS 1.3 and Arla. It replaces the krb4-only krbafs RPM, which is based on code that is shared between KTH-KRB (krb4) and Heimdal. (Yes, enabling krb5 in krbafs should only be a matter of using the right #defines, but I don't think anything uses krbafs anymore.) > It is a puzzle why FC ships MIT Kerberos only... I might get around to submitting my RPMs when Extras opens. Still, RH has people in Boston, near MIT. I don't know if that matters. > But I saw the man-page of BSD's implementation of kerberos... Support > for TCP transport and tunneling over HTTP proxies... wow... I want to > have this also... I'm just glad I've never needed HTTP tunneling. :-) /abo
