[OpenAFS] Kerberos 5, AFS, and no krb524d
Rodney Dyer
rmdyer@uncc.edu
Sun, 08 Jun 2003 23:41:36 -0400
At 03:09 PM 6/6/03 -0500, Neulinger, Nathan wrote:
>Then you have a "big project" maintaining compatability with lots of
>kerb distributions, instead of a small project doing so.... Latter is
>much easier to maintain I believe.
Why? Far be it from me to make this supposition but I'm going to. There
exists one open source project for AFS and as far as I'm concerned one open
source project for Kerberos. If AFS is going to transition to Kerb 5, then
it should use a Kerberos open source project to "meld" with. If I'm not
mistaken that's the MIT Kerberos distribution. Are there others of any
significance? Please tell me if there are because I haven't heard of any.
Let's see a show of hands of AFS user's who want to transition to Kerb
5? Let's see a show of hands of user's who wouldn't mind the "klog -mitv5"
command calling the MIT distribution's Kerberos library interfaces?
>I think that's the end goal, but getting there will be a while. We
>currently don't have any dependency or integration of krb5 at compile
>time into the openafs build. Maybe we should, not clear.
Yes, you should. Otherwise AFS is going to languish in the back waters
from a LOTR Gollum type schizophrenia of indecision...should we, or
shouldn't we, should we, or shouldn't we.
The only real standard on Windows machines for Kerberos authentication is
through the SSPI. And I'm pretty sure you don't want to go that
route...right? So, it's either MIT's distribution or nothing else. You
might argue that there are lots of Kerberos distributions, but are they
open in any sense of the word? Why tie the OpenAFS project to close source
distributions?
Hmm...just thinking...for the Windows users...so would it be possible to
create an AFS K5 service principle on Microsoft's AD server, then request
that service principle, strip it clean, then stuff it into the AFS token
cache? I suppose the salts would be a problem here. But, if you could do
this, you wouldn't need the krb524 code right?
Anybody got any ideas in this direction? Am I talking out of my Uranus?
Rodney