[OpenAFS-devel] More on aklog

Rainer Schöpf rainer.schoepf@proteosys.com
Tue, 12 Oct 2004 09:54:53 +0200 (CEST)

On Mon, 11 Oct 2004, Derrick J Brashear wrote:

 > Jeff Altman explained why in the RT ticket you opened; Basically, "because 
 > it can lead to 2 principals being treated as the same one".

Fair enough. A minor annoyance only. It was my bad luck that I did my 
first test with the wrong principal. (Although I still think that aklog or 
ktc_Settoken should give an error message for a principal with a "." in 
its name.)

However, a not so minor annoyance is the lack of documentation. There is
not much on 2b tokens, and I could not find anything about these pitfalls.
In particular, the Unix specific documentation says very little about
Kerberos 5 integration, if at all.

I think a sort of "best practices" document is needed. I'll try to write
something down in the near future.

 > Until the pts suite has been modified and we are using true krb5 
 > everywhere (or at least in the code path where such check happens) this 
 > will not be removed.

So the first step would be to modify the pts suite. Is this something to 
happen soon? Just asking.

 Rainer Schöpf