[OpenAFS] Some questions about the future of OpenAFS

Douglas E. Engert deengert@anl.gov
Wed, 01 May 2002 11:15:46 -0500

Derek Atkins wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
> > That could still work, if the token the gssklogd creates is a cell token
> > which can be used to obtain server tokens.
> Which implies that the "cell token" is a TGT for the "cell realm" and
> that "server tokens" are "service tickets" for the servers.  You've just
> made an AFS Cell == Kerberos Realm again.  You just changed the names
> (to protect the guilty? ;)

Maybe. You can still use Kerberos internally, and so the cell could be 
in a realm. But with K5 you now have cross realm as a feature, and needs to be
addressed. This then this brings up the authorization questions.

AFS has done the authorization via the PTS. Will this continue to
work the same way? Would you map foreign users to local users in the PTS?
Will foreign users be allowed on ACLs? 
Do you still have the AFS ID? Do these need to be UUIDs?

How will AFS be different from DFS in these areas? 

> -derek
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444