[OpenAFS] Kerberos 5, AFS, and no krb524d
Derrick J Brashear
shadow@dementia.org
Mon, 9 Jun 2003 16:02:04 -0400 (EDT)
On Mon, 9 Jun 2003, Rodney M Dyer wrote:
> Well then the solution seems straight forward. The OpenAFS group needs to
> create a standardized wrapper library for obtaining the AFS credential
> (token). The "klog" command then needs to be renamed to "afslogon" and all
> references to anything kerberos needs to be stripped out of the code
> base. Then, you just end up calling your authentication wrapper with the
> information to obtain the token. The wrapper does the work of determining
> which authentication method you are using, getting the token, etc. Gee,
> this hints of a mechanism like SASL. The way I see it, AFS is way too
> dedicated to Kerberos. OpenAFS and Kerberos share a common
> history. Seperating the two is like cutting off an arm.
Well, whatever we do has to involve the backend authentication system
somewhere. Either servers have to know how to deal, or the magic "make a
token" service does. And just coming up with a "make a service" token
doesn't get us better authentication or encryption. You seem to be
worrying about the cart before the horse.
> So if I've setup my AD domain to trust a MIT Kerberos realms TGT, then I
> could just request my AFS service principle ticket from my AD server right?
Define "trust". Same realm or different?