[OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions

Chaz Chandler clc31@inbox.com
Fri, 09 Oct 2009 19:34:18 -0400

> What has been voiced as part of this thread by Chaz and Dave and perhaps
> by Ragge (not sure yet) is that there is a desire to have an AFS
> identity centric model in preference to a Kerberos v5 identity centric
> model when it comes to authentication.  ...

Yes, perhaps that's the best way to think about the value that afscreds
currently brings: it's AFS identity-centric.  Some of the "red X"
comments highlight the value of this emphasis from the user's
perspective.  I would guess that some sites only use krb5 because they
need some kind of authentication method for AFS (and, of course, krb4 is
no longer a good bet).

Given that:

> 1. in order to perform credentials acquisition or drive mapping
>    the process must be unprivileged.
> 2. in order to start/stop the service or change configuration
>    settings it must be "run as administrator"

And some of the other comments on the list, could the future of afscreds
be isolated to #1 (unprivileged-type activities)?  Then let the
following items take care of more complex scenarios and privileged

> 1. A Microsoft Management Console for configuration which Brant
>    Gurganus worked on for GSoC but has yet to be completed.
> 2. Explorer Shell extensions to provide a tighter integration
>    between AFS and the user desktop experience so that drive
>    mapping would no longer be required.
> 3. Network Identity Manager for authentication.