[OpenAFS] Some questions about the future of OpenAFS
Derrick J Brashear
shadow@dementia.org
Tue, 30 Apr 2002 18:04:01 -0400 (EDT)
On Tue, 30 Apr 2002, Matthew N. Andrews wrote:
> >Work is ongoing _today_ to add real GSSAPI support to Rx. Once this work
> >is done, and appropriate integration work complete, there really won't be
> >a concept of a "token" as a data object you pass around. What you'll have
> >is a process or library that knows how to establish GSS contexts on the
> >user's behalf.
> >
> So, is the intent here to use something like mech-glue to allow you the
> client, and server to negotiate a particular type of gssapi
> authentication, or will users simply not be able to authenticate to both
> cell a, and b from the same machine if the two cells use different
> gssapi libraries? one of the things that makes afs an attractive
> solution to my users is that they can access calls a, b and c all from
> the same machine just by running klog for each of them.
The beauty of SPNEGO is as long as you provide the overlying SPNEGO layer
as long as I share an underlying mech with each site I wish to
authenticate to, I'm fine. It doesn't have to be the same one.