[OpenAFS] Some questions about the future of OpenAFS

[Tim Gaastra]

> Let's make sure you understand what is going on here.  An "AFS Token"
is really just a V4 service ticket and 
>session key that has been crammed into the kernel for use by the cache
manager.  A "straight" conversion to V5 
>would likely involve a similar thing, except it would be a V5 service
ticket and a V5 session key.  There has 
>been some talk about using the callout interface to talk to a userland
process to get the necessary tickets and 
>authenticator ... but then we have the problem of associating a
particular Unix process to a set of credentials.  
>I'm not sure what the right solution is here.  If I had the time, I'd
work on a system that put a seperate 
>service key on each AFS server, but that's just me.

Ah, I was indeed vaguely aware of that (AFS tokens being just v4 tickets
and authenicators) but its always a good thing to have someone more
knowledgable than oneself point out where one is making errors of
facility. I think I see where you're going with this, in that you still
need something after the conversion (if a straight conversion) to put
the credentials in kernel space for the cache manager, so you'd still
need something beyond kinit/pam_krb5 to get the principals usable to
AFS?