lauer@BTC.KODAK.COM (Hugh C. Lauer) (12/01/89)
I have been reading the various published material on Kerberos, and I am interested. My question is, will it go some way to solving our problem? Here is my situation -- we have a large and rapidly growing software development organization spread across about six sites nationwide. People from different sites work very closely with each other on particular projects, and there are a lot of projects. Thus, for example, a developer in Santa Monica will need to login to and update a directory on a host in Bedford, while another will have to update something on a host in Rochester. A typical user is a member of more than one project. Managing the authentication of the users across sites is a horrendous undertaking -- even managing the recognition of users' names at the different sites is difficult. I really would like the local site administrators to manage their own users, but I want the users to be recognizable at our other sites. In particular, they need to be recognizable both when they travel physically and when they travel only via the wide area network. Ideally, it should be possible for me to walk up to any machine in my department in any of my locations, type my name and password, and have the same authorities that I would have had from my own workstation. Moreover, I really want it to establish my own environment wherever I am. Sun Yellow Pages and Apollo's Domain system both did this for me, but only within the confines of my local facility, not three thousand miles away A wrinkle in all of this is that as large as we are, we are only a small department in a giant corporation. Most of the rest of the corporation is still in the stone age as far as computer networking is concerned, so we are leading the way. Among other things, we will need to be adding new client groups (possibly at different sites) from time to time. So my question is, will Kerberos be a useful tool for me? What other tools will also help? Thanks, /Hugh C. Lauer
henk@cs.eur.nl (Henk Langeveld) (12/02/89)
Hugh C. Lauer writes: >Ideally, it should be possible for me to walk up to any machine in my >department in any of my locations, type my name and password, and have >the same authorities that I would have had from my >own workstation. Moreover, I really want it to establish my own >environment wherever I am. Sun Yellow Pages and Apollo's Domain system >both did this for me, but only within the confines of my local >facility, not three thousand miles away It's under development. It's called Plan 9... from Bell Labs. From what I heard (and rad), it addresses exactly the problem that you come up with: How to build a system that will give anyone their own environment, whereever they are (physically). Look up papers by Pike et.al. Followup to comp.society.futures. This subject has little to do with the kerberos protocols. Henk -- Henk Langeveld, Unix SysAdmin | domain: <henk@cs.eur.nl> Department of Computer Science | phone: +31 10 4081346 Erasmus University Rotterdam | also: langeveld@hroeur5.bitnet Room H5-05, P.O.Box 1738, NL-3000 DR Rotterdam, The Netherlands.
davecb@yunexus.UUCP (David Collier-Brown) (12/04/89)
lauer@BTC.KODAK.COM (Hugh C. Lauer) writes: >Managing the authentication of the users across sites is a horrendous >undertaking -- even managing the recognition of users' names at the >different sites is difficult. I really would like the local site >administrators to manage their own users, but I want the users to be >recognizable at our other sites. Well, you've described a problem set that daemons like Hesiod (sp?) and Kerberos are part of the solution to. As you might guess, they're necessary but not sufficent... In the case you describe, you will need to at least simulate a distributed directory of users (ie, you can have N independant and update them every so often) and one or more Kerberoi, all agreeing to cooperate. The latter should be a good configuration to ask this group about... --dave -- David Collier-Brown, | davecb@yunexus, ...!yunexus!davecb or 72 Abitibi Ave., | {toronto area...}lethe!dave Willowdale, Ontario, | Joyce C-B: CANADA. 416-223-8968 | He's so smart he's dumb.