On Thu, 17 Mar 2011 16:05:53 -0500
"Boyd Stephen Smith Jr." <
bss@iguanasuicide.net> wrote:
> On 2011-03-17 14:53:37 Celejar wrote:
> >> Already using Kerberos everywhere? If not, don't bother with AFS. I'm
> >> not sure about Coda, but I think it is the same situation.
> >
> >Would you mind elaborating a bit? Are you talking about security,
> >authentication, encryption?
>
> Kerberos is primarily authentication. It provides some information to
> authorization systems built on top of it and has some small authorization
> conventions for managing the domain. It uses encryption to enable the
> authentication, but doesn't necessarily enforce any protocol-level encryption
> on applications using it for authentication.
>
> From what I understand, permissions on files under AFS are not really handled
> the way a "simple" UNIX filesystem is (uid/gid/perms in the inode, optional
> acl extensions). Instead, files are owned and permissions granted based on
> your Kerberos principal for the domain the AFS is in. Essentially, a Kerberos
> infrastructure is necessary to use AFS, at least a minimal one. And, with a
> truly minimal Kerberos configuration, I don't think it would be any more
> secure and probably more poorly performing than an equivalent NFS.