[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Ken Hornstein kenh@cmf.nrl.navy.mil
Tue, 21 Mar 2006 15:12:00 -0500


>I will note that AFS PAG's do provide a much better model for how to  
>manage credentials.  It's not perfect either, but I consider it a  
>reasonable minimum for what Apple should provide.

If you mean in terms of who gets access to your credential store, MacOS X
does that now pretty good with the API cache.  Those are segmented by
MacOS Security Sessions, which give you the same sort of inheritance
that AFS PAGs have today.

The problem lxs was referring to was client credential _selection_ ...
which is a tough one, since there are cases where it might make sense
to use "another" client credential, it might make sense to do cross-realm,
and there's no good way to figure out which one is "correct".  AFS
sort-of sidesteps this issue; you can only have one client identity per
AFS cell, and pushes the whole "do I use a local credential or cross-realm
credential?" question back squarely onto Kerberos's lap.

--Ken