Subject: Re: [netatalk-admins] kerberos/authman & netatalk
From: Michael Han (mikehan@best.com)
Date: Fri Apr 30 1999 - 13:14:48 EDT
Previously...
>Please forgive this novice question. All the netatalk documentation seems
>assume the admin is familiar with Kerberos. I am not. Please describe the
>relationship between netatalk, kerberos, and authman. Does netatalk, or
>specifically afpd, use a "Kerberos style" authentication where it makes
>own keys? OR does it require a "full blown" kerberos keyserver setup as
>described in http://www.ornl.gov/~jar/HowToKerb.html ??
Never dealt with kerberos, but my understanding of kerberos in
netatalk, is if you don't know that you definitely want it, you don't
want it... kerberos doesn't seem trivial to implement and while it can
help you solve a *lot* of problems, it's a major undertaking to
install/support.
>I added DES but not KERBEROS in an attempt to get encrypted passwords
>a'la RAND2NUM.
>BUT my mac logins still reported clear text passwords and even worse they
>would hang for 2+ minutes before returning an "Server quit unexpectedly"
>message. Incorrect passwords failed immediately as they should.
>DES with no KERBEROS seemed to break things.
You're having trouble with PAM support, I'd wager. That or maybe the
absence of the user's shell listed in /etc/shells. PAM support isn't
working properly under Solaris right now.
>BTW: I'm also a bit confused as to the .passwd file. does it contain the
>password as the only text or do I include a username?
>Is the password different from the regular unix password?
>I may be willing to live with RAND2NUM if I conceed the server isn't
>99% secure.
Someone else answered this question.
>Seems like an awful lot of trouble just to encrypt passwords.
>I have latest netatalk+asun working on Solaris 2.6 using atalkd & tcp/ip
>WITHOUT DES or KERBEROS. Only problem is the clear passwords.
>If I can get this to work & share a dir with SAMBA it will be way cool!
Blame it on the supported UAMs... And I hear Apple hasn't fixed the
situation with OS X, which I assumed they would do... Apparently,
there's two password lists, one in /etc/passwd or /etc/shadow, and one
for AFP... So they're doing something pretty similar to what netatalk
servers do. Anyway, getting back to the UAMs, the only UAMs currently
available for the latest AppleShare clients (with ASIP support) are
cleartext or RandNum/Rand2Num. AuthMan is being reworked and should be
available pretty soon, I hear, allowing for Kerberos support, too.
-- mikehan@best.com I will remember to take my medication - The collected wisdom of Bart Simpson
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:16:40 EST