[OpenAFS] Kerberos 5, AFS, and no krb524d
Douglas E. Engert
deengert@anl.gov
Thu, 05 Jun 2003 15:19:09 -0500
Derrick J Brashear wrote:
>
> On Thu, 5 Jun 2003, Douglas E. Engert wrote:
>
> > > Yes, of course it can. What happens if that composition changes? Why
> > > change 5000 aklogs when you can change one krb524d.
> >
> > Thats fine too, if you have the install base.
> >
> > But the oroginal problem as that the user could not get his admins to run
> > krb524d, and everyone is having problems finding an aklog that runs for them.
> >
> > So in the long run if you can avoid using the krb524d all the better.
>
> I think the same can be said of gssklogd.
Yes but:
It can also work with other GSSAPI, like the Globus GSI.
It (almost) can work with the MS SSPI, thus it could run on a
system without any MIT or Hiemdal code. (This might be a mute point
if future AFS clients need the MIT or Hiemdal code anyway.)
But if you had a built in klog that understood K5 I would use it.
I would suspect that this is what most people would want,
a klog that use the existing K5 credentials to get an AFS token.
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444