[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Ernest Prabhakar prabhaka@apple.com
Tue, 21 Mar 2006 10:19:35 -0800


Hi Ken,

On Mar 21, 2006, at 10:07 AM, Ken Hornstein wrote:
> The problem is that AFS tokens are "short lived" secrets; you get a  
> new
> one every time you re-authenticate to Kerberos.  Maybe you could  
> fit it
> in there, but it's not obvious to me how you would do it.  I think to
> really make it work you'd need to extend how Keychain works.

This sounds like it would make an excellent DTS support question.  Do  
any of the people working on this code have an ADC Select Membership  
they could use to ask about this? If not, let me know who the right  
person is on your end, and I'll get them hooked up.

> Shifting gears a bit ... as long as we're talking about OpenAFS, MacOS
> X, and the AFS token, it would be useful if we could reference AFS
> tokens by the MacOS Security Session (the one that's created by
> SessionCreate()), rather than by userid as we do now.  I guess all we
> would really need from the MacOS side is a way inside of the kernel
> to know what session a particular process belongs to.  This would
> let us do PAGs the "right" way on MacOS X.

This sounds like an excellent Apple bug report/feature request.   
Could you please file that -- being as specific as possible -- and  
send me the bug number?

http://developer.apple.com/bugreporter/

Thanks,
-- Ernie P.