[OpenAFS] Some questions about the future of OpenAFS

[Ken Hornstein]

>1) Is there a time table for converting AFS to be a Kerberos V5 service?
>(I.E., no need for krb524d, no need to use asetkey to grab the Key from
>a keytab into the Keyfile but instead just using a keytab like other V5
>services, etc.)

My understanding is that there is work taking place in this arena, but it
is a significant effort (I believe a lot of the protocol design work is
done, but no code has been written yet).  Others could speak to this better.

>2) If such a v5 conversion occurs, could AFS tokens be done away with
>completely and authorization take place purely with Kerberos
>tickets/principals? (No need for aklog, etc).. I personally would like
>the ptserver to just be about assigning principals to groups and
>defining what principals have what privileges rather than it being
>another user database (I do agree with the sentiment that a minimal
>number of user databases is a good thing).

Let's make sure you understand what is going on here.  An "AFS Token" is
really just a V4 service ticket and session key that has been crammed
into the kernel for use by the cache manager.  A "straight" conversion
to V5 would likely involve a similar thing, except it would be a V5
service ticket and a V5 session key.  There has been some talk about
using the callout interface to talk to a userland process to get the
necessary tickets and authenticator ... but then we have the problem of
associating a particular Unix process to a set of credentials.  I'm not
sure what the right solution is here.  If I had the time, I'd work on
a system that put a seperate service key on each AFS server, but
that's just me.

--Ken