[AFS3-std] Revised PTS authentication name mapping draft,
call for review
Simon Wilkinson
simon@sxw.org.uk
Fri, 18 Jun 2010 18:56:13 +0100
On 18 Jun 2010, at 18:49, Derrick Brashear wrote:
[section 10.4]
> Other commenters have come down on the side of the above as-is. I am
> not wed to it. I would be happy to accommodate this as I feel simply
> using GSSAPI export names globally would be more consistent.
My argument boils down to: If I am building a hypothetical AFS product =
which only supports GSSAPI, I'm not sure why I should be forced to have =
my server convert from GSSAPI to Kerberos v5 names, when I actually have =
no interest at all in the Kerberos v5 name.
I think a better approach would be to require ptservers in cells which =
support multiple implementations of the same underlying security =
mechanism to perform the mapping. So, if you have a cell which supports =
both native Kerberos v5, and GSSAPI, then the ptserver should be =
responsible for mapping from the GSSAPI name to the Kerberos v5 one, and =
vice versa.
Cheers,
Simon