[OpenAFS] Re: foreign-realm members of system:administrators have weakened powers?
Ken Hornstein
kenh@cmf.nrl.navy.mil
Fri, 27 Jan 2006 14:38:12 -0500
>I may be abandoning this because there doesn't seem to be any reliable
>way for clients to figure out that the cell is its own realm (without
>requiring end-users to manually edit or replace their krb5.conf, which
>is way beyond the abilities of many people, sad as that fact may be).
>
>Basically, unless I can get this to a truly zero-configuration
>situation for users, my project is not gonna fly. It's just the
>realities of how things are.
It's not like it's completely zero-conf now (except maybe under MacOS X).
You still have to distribute various Kerberos & AFS bits for people.
I know where you're coming from; I face a very similar problem
distributing Kerberos information to a very diverse end-user
population. I simplify the matter by using a customized Kerberos
distribution. It's not zero-conf, but once the user does a few simple
steps (we provide an installer for systems like Windows and MacOS X),
they are up and running. This even works for the relatively
unsohpisticated user. I wish it was easier for them, but they seem to
be able to get work done, so I don't think it's too bad. I wish TXT
record lookup was on by default, but I realized a long time ago it's
simpler just to distribute my own software rather than fight a battle
I'm not going to win.
--Ken