[OpenAFS-devel] [Win] Status of remote logins

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 25 Feb 2005 19:08:23 -0500 

On Friday, February 25, 2005 12:08:05 PM -0800 Mike Fedyk 
<mfedyk@matchmail.com> wrote:

> I'd suggest getting some documentation on the internals of AD and
> Kerberos so this project can move forward.  Can anyone suggest some good
> books for this (and maybe for the SCSI protocol too -- separate issue
> entirely though)?


The Kerberos protocol is well documented; in fact, it is an Internet 
standards-track specification.  For the current specification, see 
draft-ietf-krb-wg-kerberos-clarifications-07.txt, RFC3961, and RFC3962.

This is a bit off-topic, but the SCSI protocol is also fairly well 
documented; it is an IEEE standard.  For an overview of the SCSI-3 
architecture and links to the drafts describing its architecture, 
transports, and command sets, see <http://www.t10.org/scsi-3.htm>

It should be noted that AD is not just a Kerberos server; it's also an LDAP 
server.  The LDAP protocol is also an Internet standards-track protocol, 
which is the subject of ongoing work in the ldapbis working group.  See 
http://www.ietf.org/html.charters/ldapbis-charter.html


Unfortunately, the problem is that AD is more than just LDAP and Kerberos; 
it requires specific extensions, some of which are poorly-documented, if at 
all.  As Jeff has noted, it is certainly possible to build a replacement 
for AD; in fact, there are a couple such projects which have already been 
mentioned in this thread.

However, such an effort is out of scope for the OpenAFS project.  OpenAFS 
is not an authentication service or a directory service, which are the 
things AD does, and so it is not a replacement for AD.  AFS is a 
distributed network filesystem, and it fills that role extremely well -- so 
well, in fact, that I have yet to see its equal.  However, it is not a 
complete distributed computing infrastructure, and does not purport to be. 
No amount of asking "how can I have users log in to my windows box without 
having local accounts or a directory service" will change the fact that a 
directory service is an essential component in any such system, and that 
service is simply not what AFS does.


If you are interested in work toward providing distributed computing 
infrastructure based on Kerberos and LDAP, I suggest you check out work 
like XAD (<http://www.padl.com/Products/XAD.html>) and the Hurderos project 
(<http://www.hurderos.org/>).

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA