--- /dev/null
+The [[AFSDB]] DNS resource record is used to specify DCE or AFS DBserver hosts.
+
+ name {ttl} addr-class AFSDB subtype server host name
+ toaster.com. IN AFSDB 1 jack.toaster.com
+ toaster.com. IN AFSDB 1 jill.toaster.com.
+ toaster.com. IN AFSDB 2 tracker.toaster.com.
+
+[[AFSDB]] records are used to specify the hosts that provide a style of distributed service advertised under this domain name. A subtype value (analogous to the "preference" value in the MX record) indicates which style of distributed service is provided with the given name. Subtype 1 indicates that the named host is an AFS database server for the AFS cell of the given domain name. Subtype 2 indicates that the named host provides intra-cell name service for the DCE cell named by the given domain name. In the example above, jack.toaster.com and jill.toaster.com are declared to be AFS database servers for the toaster.com AFS cell, so that AFS clients wishing service from toaster.com are directed to those two hosts for further information. The third record declares that tracker.toaster.com houses a directory server for the root of the DCE cell toaster.com, so that DCE clients that wish to refer to DCE services should consult with the host tracker.toaster.com for further information. The DCE sub-type of record is usually accompanied by a TXT record for other information specifying other details to be used in accessing the DCE cell. RFC 1183 contains more detailed information on the use of this record type.
+
+The [[AFSDB]] record is still experimental; not all name servers implement or recognize it.
+
+Copied from the BIND Operator's Guide
+
+-- [[DerrickBrashear]] - 24 Jan 2002
As of Windows NT version 5.0, normally known by the name Windows 2000, the domain controller (aka [[ActiveDirectory]]) uses [[KerberosV]] for authentication.
-The resulting TGT tickets use a proprietary authorization data format. There was a big flamefest on this issue, though [[KerberosDCE]] also uses the V5 ticket's authorization data field to store group membership data, the details of Microsoft's format was murky.
+The resulting TGT tickets use a proprietary authorization data format. There was a big flamefest on this issue, though [[KerberosDCE]] also uses the V5 ticket's authorization data field to store group membership data, the details of Microsoft's format was murky. It is now documented by a paper which essentially requires you to agree to never use the information if you read it, making it similarly useless.
[[NathanNeulinger]] has used Windows 2000 to provide authentication for AFS. See his [message](http://lists.openafs.org/pipermail/openafs-info/2002-January/002893.html) to [[OpenAFSInfo]] for details.
--- [[TedAnderson]] - 23 Jan 2002
+-- [[TedAnderson]] - 23 Jan 2002 -- [[DerrickBrashear]] - 24 Jan 2002 added the information about the paper.
----
## <a name="HeimdalKTH -- the international"></a><a name="HeimdalKTH -- the international "></a> [[HeimdalKTH]] -- the international version of Kerberos version 5
-Here's some [mail](http://lists-openafs.central.org/pipermail/openafs-info/2001-April/000591.html) from [[DerrickBrashear]] for using [[HeimdalKTH]] for AFS authentication.
+Here's some [mail](http://lists-openafs.central.org/pipermail/openafs-info/2001-April/000591.html) from [[DerrickBrashear]] for using [[HeimdalKTH]] for AFS authentication. An updated version of this document can be found here: <file:/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt>
- afslog
- ktutil -- for example to create a [[KeyFile]] for AFS servers you can use this sequence<br />`ktutil -k keytab.afs get afs@MY.REALM`<br />`ktutil copy FILE:keytab.afs AFSKEYFILE:/usr/vice/etc/KeyFile`<br /> It can also convert from `srvtab` format.
--- /dev/null
+The database used by clients and servers to locate the AFS DBservers in a cell. In modern clients this information is supplemented by information looked up in [[AFSDB]] DNS resource records. A [[CellServDB]] including all sites which have chosen to publish themselves can be found at: <http://grand.central.org/dl/cellservdb/CellServDB>
+
+Sites can request addition by mailing <cellservdb@grand.central.org>
+
+-- [[DerrickBrashear]] - 24 Jan 2002
--- /dev/null
+In addition to being endemic to Coda, [[CITI]] created a version of AFS which supports disconnecting from the network while letting the client continue to access data in it's cache, and to write data for resynchronization upon reconnection to the network.
+
+This code was later ported to Arla and my understanding is as of this date requires some work before it will be useful.
+
+You can read more about it here: <http://www.citi.umich.edu/techreports/reports/citi-tr-93-3.pdf>
+
+-- [[DerrickBrashear]] - 24 Jan 2002
--- /dev/null
+Instead of mounting the home cell's root.afs volume at the AFS mount point (typically /afs) a fake root is constructed from information available in the client's [[CellServDB]].
+
+-- [[DerrickBrashear]] - 24 Jan 2002
----
-Useful topics: [[SettingUpAuthentication]], [[CrossRealmAutentication]]
+Useful topics: [[SettingUpAuthentication]], [[CrossRealmAuthentication]]
-- [[TedAnderson]] - 22 Jan 2002
-The [[KaServer]] is an implementation of [[KerberosIV]] that comes with AFS (Does [[OpenAFS]] still install/setup the kaserver?). It implements the standard version 4 UDP interface on port 750, but also suplements this with an [[RxRPC]] interface.
+The [[KaServer]] is an implementation of [[KerberosIV]] that comes with AFS ([[OpenAFS]] still includes the kaserver, but it's suggested you instead install a [[KerberosV]] implementation to use in its place). It implements the standard version 4 UDP interface on port 750, but also suplements this with an [[RxRPC]] interface.
The [[RxRPC]] interface provides authentication services and is used by klog. It differs from the V4 interface in that it requires pre-authentication which avoids a problem identified with the V4 protocol and fixed in [[KerberosV]]. There is an option to the [[KaServer]] to disable port 750 but while improving security it reduces compatibility with non-AFS V4 applications.
[[KenHornstein]]'s AFS-Kerberos5 migration toolkit is here: <ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/>.
--- [[TedAnderson]] - 22 Jan 2002
+[[DerrickBrashear]]'s document for converting from the [[KaServer]] to [[HeimdalKTH]] is here: <file:/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt>
+
+-- [[TedAnderson]] - 22 Jan 2002 -- [[DerrickBrashear]] - 23 Jan 2002
Some other issues to explain:
[[HartmutReuter]] responded in the same thread indicating that much of the client work has been done to support [[MultiResidentAFS]]. Doing the server part of the work is probably not as difficult.
-- [[TedAnderson]] - 17 Jan 2002
+
+This client-side work is available in the [[OpenAFSCVS]] tree and is expected to become available in the next series of stable releases after the 1.2 series.
+
+-- [[DerrickBrashear]] - 24 Jan 2002
--- /dev/null
+The home of [[OpenAFS]] development, the [[OpenAFSCVS]] tree can be browsed at: <http://www.openafs.org/frameset/cgi-bin/cvsweb.cgi/openafs/> or can be accessed at :pserver:anonymous@cvs.openafs.org:/cvs as module openafs. The password for anonymous is anonymous.
+
+-- [[DerrickBrashear]] - 24 Jan 2002
-The [[OpenAFS]] project has several [mailing lists](https://lists.openafs.org/mailman/listinfo/), one of which is [OpenAFS-devel](https://lists.openafs.org/mailman/listinfo/openafs-info) is for general discussion of [[OpenAFS]] and is archived at <http://lists.openafs.org/pipermail/openafs-info/>.
+The [[OpenAFS]] project has several [mailing lists](https://lists.openafs.org/mailman/listinfo/), one of which is [OpenAFS-info](https://lists.openafs.org/mailman/listinfo/openafs-info) is for general discussion of [[OpenAFS]] and is archived at <http://lists.openafs.org/pipermail/openafs-info/>.
-- [[TedAnderson]] - 23 Jan 2002
--- /dev/null
+<http://www.stacken.kth.se/>
+
+-- [[DerrickBrashear]] - 24 Jan 2002
-The function that maps a password to an encryptio key is called [[StringToKey]]. The AFS standard one uses the realm name as a salt. The MIT standard is different from this and there were changes between v4 and v5 as well, I think.
+The function that maps a password to an encryption key is called [[StringToKey]]. The AFS standard one uses the realm name as a salt. The MIT standard is different from this and there were changes between v4 and v5 as well, I think.
-- [[TedAnderson]] - 23 Jan 2002
The MIT v5 [[StringToKey]] uses the same underlying algorithm as the v4 [[StringToKey]], but adds a salt based on the principal name.
+
+-- [[DerrickBrashear]] - 24 Jan 2002