[OpenAFS] Kerberos 5, AFS, and no krb524d

Douglas E. Engert deengert@anl.gov
Fri, 06 Jun 2003 15:55:32 -0500


Ken Hornstein wrote:
> 
> >> aklog ends up being a real pain in the ass piece of software.  It's tied
> >> to both your Kerberos implementation _and_ your AFS implementation.  Just
> >> compiling it can be a challenge.
> >
> >Dare I say gssapi again?
> 
> So, you need to link in your GSSAPI implementation, which requires you to
> link in your Kerberos implementation ...

This is currently shared libs, but could be a dynamic link too. 
The point being the code includes no Kerberos header files (It needs a gssapi.h),
and no Kerberos API issues.

There is still a trade off. The gssklog requires a server to return the token.
If there could be a aklog that did not require a krb524d, at least for the
Kerberos world this would be preferable from a performance point of view.

But then again, if a gssklog could use the MS SSPI, then you would not need 
a separate Kerberos on the client, unless the AFS client itself required
it.

 


> 
> --Ken

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444