[OpenAFS] Re: Authentication without aklog

Andrew Deason adeason@sinenomine.net
Tue, 5 Aug 2014 10:43:19 -0500

On Tue, 05 Aug 2014 09:34:30 -0500
Douglas E Engert <deengert@gmail.com> wrote:

> On 8/4/2014 9:35 PM, Andrew Deason wrote:
> > Users of all other kerberized services do not need to "login" to every
> > service they use. If everything is configured properly to use kerberos,
> > I don't need to separately login to the ldap server, to ssh, to
> > kerberized nfs, or even to a website using spnego.I just use the
> > relevant service after I have acquired kerberos tickets.
> > Of course, most
> > of those are userspace programs where this is much easier, but I see no
> > reason for the user experience to be different for a non-userspace
> > application if there are no technical obstacles making it impossible.
> > (And imo, NFS has shown it's not impossible.)
> That works if both user and server are in same realm or with cross
> realm trust. An afs aklog daemon could work like (or use) the
> rpc.gssd.

Yes... that's what I've been proposing. (Well, one of the approaches.)

> This works well in an enterprise,or where cross realm trust between
> organization is setup. But wide spreed cross realm trust has not
> caught on.  and it is not clear if the original question of this
> thread was addressing where the user did not do a Kerberos login.

I don't see how that matters. Either the user logged in via pam_krb5 or
something, or they logged in without any krb5 integration and manually
ran 'kinit'. Either way it should be possible to work without any
AFS-aware authentication steps.

> As a side note, where I used to work, is a member of InCommon, uses AD
> for kerberos, and the Shibboleth IDP would accept user/password,
> Smartcards or Windows Auto Enroll certificates, or Kerberos credentials
> for authentication. We used Box and other cloud services. AFS is used
> only internally and works without the users having to use aklog
> if they logged in via Kerberos to AD.

I'm assuming you mean that 'aklog' or an equivalent was run during the
login process, and it just wasn't visible to the users. That is, 'aklog'
(or equivalent) was still run; the system was just setup to do it for

Andrew Deason