[OpenAFS] Re: foreign-realm members of system:administrators have weakened powers?

[Ken Hornstein]

>I may be abandoning this because there doesn't seem to be any reliable
>way for clients to figure out that the cell is its own realm (without
>requiring end-users to manually edit or replace their krb5.conf, which
>is way beyond the abilities of many people, sad as that fact may be).
>
>Basically, unless I can get this to a truly zero-configuration
>situation for users, my project is not gonna fly.  It's just the
>realities of how things are.

It's not like it's completely zero-conf now (except maybe under MacOS X).
You still have to distribute various Kerberos & AFS bits for people.

I know where you're coming from; I face a very similar problem
distributing Kerberos information to a very diverse end-user
population.  I simplify the matter by using a customized Kerberos
distribution.  It's not zero-conf, but once the user does a few simple
steps (we provide an installer for systems like Windows and MacOS X),
they are up and running.  This even works for the relatively
unsohpisticated user.  I wish it was easier for them, but they seem to
be able to get work done, so I don't think it's too bad.  I wish TXT
record lookup was on by default, but I realized a long time ago it's
simpler just to distribute my own software rather than fight a battle
I'm not going to win.

--Ken