On 2011-03-17 14:53:37 Celejar wrote: >> Already using Kerberos everywhere? If not, don't bother with AFS. I'm >> not sure about Coda, but I think it is the same situation. > >Would you mind elaborating a bit? Are you talking about security, >authentication, encryption? Kerberos is primarily authentication. It provides some information to authorization systems built on top of it and has some small authorization conventions for managing the domain. It uses encryption to enable the authentication, but doesn't necessarily enforce any protocol-level encryption on applications using it for authentication. From what I understand, permissions on files under AFS are not really handled the way a "simple" UNIX filesystem is (uid/gid/perms in the inode, optional acl extensions). Instead, files are owned and permissions granted based on your Kerberos principal for the domain the AFS is in. Essentially, a Kerberos infrastructure is necessary to use AFS, at least a minimal one. And, with a truly minimal Kerberos configuration, I don't think it would be any more secure and probably more poorly performing than an equivalent NFS. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.