[OpenAFS-devel] [Win] Status of remote logins

Mike Fedyk mfedyk@matchmail.com
Fri, 25 Feb 2005 17:41:52 -0800 

Jeffrey Hutzelman wrote:

> On Friday, February 25, 2005 12:08:05 PM -0800 Mike Fedyk 
> <mfedyk@matchmail.com> wrote:
>
>> I'd suggest getting some documentation on the internals of AD and
>> Kerberos so this project can move forward.  Can anyone suggest some good
>> books for this (and maybe for the SCSI protocol too -- separate issue
>> entirely though)?
>
>
>
> The Kerberos protocol is well documented; in fact, it is an Internet 
> standards-track specification.  For the current specification, see 
> draft-ietf-krb-wg-kerberos-clarifications-07.txt, RFC3961, and RFC3962.
>
> This is a bit off-topic, but the SCSI protocol is also fairly well 
> documented; it is an IEEE standard.  For an overview of the SCSI-3 
> architecture and links to the drafts describing its architecture, 
> transports, and command sets, see <http://www.t10.org/scsi-3.htm>
>
> It should be noted that AD is not just a Kerberos server; it's also an 
> LDAP server.  The LDAP protocol is also an Internet standards-track 
> protocol, which is the subject of ongoing work in the ldapbis working 
> group.  See http://www.ietf.org/html.charters/ldapbis-charter.html

Thanks for the info, and I'll be reading them, but specifically what I 
was asking for are books that introduce each technology much like a book 
on programming.  I already understand some of the concepts used in them, 
but want to flesh out my knowledge on them and learn common techniques 
that probably won't be in a RFC or specification.  You wouldn't happen 
to know of any books like that, would you?

>
>
> Unfortunately, the problem is that AD is more than just LDAP and 
> Kerberos; it requires specific extensions, some of which are 
> poorly-documented, if at all.

Don't you love standards track protocols that *aren't fully documented*?!

>   As Jeff has noted, it is certainly possible to build a replacement 
> for AD; in fact, there are a couple such projects which have already 
> been mentioned in this thread.
>
> However, such an effort is out of scope for the OpenAFS project.  
> OpenAFS is not an authentication service or a directory service, which 
> are the things AD does, and so it is not a replacement for AD.  AFS is 
> a distributed network filesystem, and it fills that role extremely 
> well -- so well, in fact, that I have yet to see its equal.  However, 
> it is not a complete distributed computing infrastructure, and does 
> not purport to be. No amount of asking "how can I have users log in to 
> my windows box without having local accounts or a directory service" 
> will change the fact that a directory service is an essential 
> component in any such system, and that service is simply not what AFS 
> does.

Yes, this is off-topic for this list.  Though I ask that this thread be 
let to end on its own, since it has been quite helpful to me (yes, I'm 
that selfish ;).

>
>
> If you are interested in work toward providing distributed computing 
> infrastructure based on Kerberos and LDAP, I suggest you check out 
> work like XAD (<http://www.padl.com/Products/XAD.html>) and the 
> Hurderos project (<http://www.hurderos.org/>).

Hmm, I haven't heard of Hurderos before.  I really am not in XAD's 
market since I don't have the money, and I won't be able to justify 
spending money for it when it could buy us a second Win2k3 server 
instead.  Does Hurderos have a mailing list?  They don't have one listed 
on their site.

Mike