[OpenAFS] Re: Issues with KfW and OpenAFS

Jeffrey Altman jaltman@columbia.edu
Fri, 26 Mar 2004 08:22:22 -0800


This is a cryptographically signed message in MIME format.

--------------ms080606050502070700010001
Content-Type: multipart/alternative;
 boundary="------------010502070106050204080201"

This is a multi-part message in MIME format.
--------------010502070106050204080201
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Douglas E. Engert wrote:

>There is an important issue here. Will future versions of OpenAFS be dependent
>on KfW?  
>
OpenAFS is not dependent on KFW.  You can turn the use
of KFW off on a local machine or current user basis if
desired.  However, if you want Kerberos 5 support integrated
into the OpenAFS tools (system tray dialogs, aklog, integrated
logon, etc) KFW is the way you get it.

As you well know, the version of Kerberos provided in Windows does not have
a clean API.  Its behaviors have changed in each version of Windows.  Via
the MIT MSLSA: krb5_ccache type all of this is hidden.  You are able to
utilize both the Kerberos SSP and the MIT implementation in a uniform
manner.  All of the ugly details of the Kerberos SSP are hidden from view.

Even if you could simply use the Kerberos SSP, you would still need
a Kerberos library to support krb524d or something similar.  Yes, I know 
about
your desire to have your gssklogd be supported instead.  However, that
functionality is not packaged at the current time with either of the popular
KDCs nor is it packaged with OpenAFS. 

My final argument is one of limited resources.  The available resources
are extremely limited.  Not just from a funding perspective but from a
developer perspective.  Its not like we have had people jumping up and
down desiring to perform development work on OpenAFS for Windows.
I cannot justify the cost of re-implementing and maintaining the code
necessary to utilize the Kerberos LSA on current and future platforms
within OpenAFS when there is a library available which is supported
and maintained which breaks the dependencies and provides an abstraction
layer which allows OpenAFS to use Kerberos 5 seemlessly regardless of
whether the Windows Logon Session is Kerberos 5 authenticated or not.

So while MIT Kerberos for Windows is not required, I believe that from
a practical perspective, for 99% of OpenAFS users on Windows it should
be considered as if it were.  Constructing a single NSIS installer which
conditionally installs MIT KFW if it is not there is trivial given the fact
that both OpenAFS and MIT KFW are using the NSIS scripts.

Jeffrey Altman


--------------010502070106050204080201
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Bitstream Cyberbit">Douglas E. Engert wrote:</font>
<blockquote cite="mid40642BA4.24F46E3C@anl.gov" type="cite">
  <pre wrap=""><font face="Bitstream Cyberbit">There is an important issue here. Will future versions of OpenAFS be dependent
on KfW?  
</font></pre>
</blockquote>
OpenAFS is not dependent on KFW.&nbsp; You can turn the use<br>
of KFW off on a local machine or current user basis if<br>
desired.&nbsp; However, if you want Kerberos 5 support integrated<br>
into the OpenAFS tools (system tray dialogs, aklog, integrated<br>
logon, etc) KFW is the way you get it.<br>
<br>
<font face="Bitstream Cyberbit">As you well know, the version of
Kerberos provided in Windows does not have <br>
a clean API.&nbsp; Its behaviors have changed in each version of Windows.&nbsp;
Via<br>
the MIT MSLSA: krb5_ccache type all of this is hidden.&nbsp; You are able to
<br>
utilize both the Kerberos SSP and the MIT implementation in a uniform <br>
manner.&nbsp; All of the ugly details of the Kerberos SSP are hidden from
view.<br>
<br>
Even if you could simply use the Kerberos SSP, you would still need <br>
a Kerberos library to support krb524d or something similar.&nbsp; Yes, I
know about<br>
your desire to have your gssklogd be supported instead.&nbsp; However, that <br>
functionality is not packaged at the current time with either of the
popular<br>
KDCs nor is it packaged with OpenAFS.&nbsp; <br>
<br>
My final argument is one of limited resources.&nbsp; The available resources<br>
are extremely limited.&nbsp; Not just from a funding perspective but from a <br>
developer perspective.&nbsp; Its not like we have had people jumping up and<br>
down desiring to perform development work on OpenAFS for Windows.<br>
I cannot justify the cost of re-implementing and maintaining the code<br>
necessary to utilize the Kerberos LSA on current and future platforms<br>
within OpenAFS when there is a library available which is supported<br>
and maintained which breaks the dependencies and provides an abstraction<br>
layer which allows OpenAFS to use Kerberos 5 seemlessly regardless of<br>
whether the Windows Logon Session is Kerberos 5 authenticated or not.<br>
<br>
So while MIT Kerberos for Windows is not required, I believe that from<br>
a practical perspective, for 99% of OpenAFS users on Windows it should<br>
be considered as if it were.&nbsp; Constructing a single NSIS installer which<br>
conditionally installs MIT KFW if it is not there is trivial given the
fact<br>
that both OpenAFS and MIT KFW are using the NSIS scripts.<br>
<br>
Jeffrey Altman<br>
<br>
</font>
</body>
</html>

--------------010502070106050204080201--

--------------ms080606050502070700010001
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUDCC
AwYwggJvoAMCAQICAwpxijANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx
HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl
bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAzMDczMDAyMDkyOFoXDTA0MDcyOTAyMDkyOFowRjEf
MB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEjMCEGCSqGSIb3DQEJARYUamFsdG1h
bkBjb2x1bWJpYS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBtDG6ZyGA
sK+rZOfKPKGBn6oCTLYSLk/mpeX9QTmTG71qh308KUeN35qqoRXjLvscfw6NPOYXiuxE/RqL
sx7WKEnK3C4gzzpioCTX1b7o4M7YbpvCRBFPE9Jgsd0yz2EN+mk/pPuK1GP+iQNot2m4A56A
aPe6F5T25GqffU535GNIdAtWPao6wHcOm17se25ny/TNzb9mlA4UzYl9XP7MF1fkpJyaDDAy
DNNTSSjxBdPVs2EaYq1p/xadXbIpysQiySXAxoeiZusgJopRHLcBsBmmY9QVD4QnUqZVmfJ5
f1CiNri5vlexKCmdFSrxMLuoLr4EQZCECdusp6ZnIt75AgMBAAGjMTAvMB8GA1UdEQQYMBaB
FGphbHRtYW5AY29sdW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEA
DPKe/CuAgEUxsrPskJQx2fL6soAEG2iqrqOGIRREHDaXWDBNMEWEbOEMLvh3+yhqHOUc9x3r
2IfsP/XHnujaqsMVXLagokVTnpPN675wv8LZ8hLHblLnykaTCq6RZpVskh2iAiJwpYMcKNF6
jyYaQyGHBGT3PK8uVGVCG4Pp9k4wggMGMIICb6ADAgECAgMKcYowDQYJKoZIhvcNAQEEBQAw
gZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEo
MCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMzA3MzAwMjA5
MjhaFw0wNDA3MjkwMjA5MjhaMEYxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
IzAhBgkqhkiG9w0BCQEWFGphbHRtYW5AY29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwbQxumchgLCvq2TnyjyhgZ+qAky2Ei5P5qXl/UE5kxu9aod9PClH
jd+aqqEV4y77HH8OjTzmF4rsRP0ai7Me1ihJytwuIM86YqAk19W+6ODO2G6bwkQRTxPSYLHd
Ms9hDfppP6T7itRj/okDaLdpuAOegGj3uheU9uRqn31Od+RjSHQLVj2qOsB3Dpte7HtuZ8v0
zc2/ZpQOFM2JfVz+zBdX5KScmgwwMgzTU0ko8QXT1bNhGmKtaf8WnV2yKcrEIsklwMaHombr
ICaKURy3AbAZpmPUFQ+EJ1KmVZnyeX9Qoja4ub5XsSgpnRUq8TC7qC6+BEGQhAnbrKemZyLe
+QIDAQABozEwLzAfBgNVHREEGDAWgRRqYWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8E
AjAAMA0GCSqGSIb3DQEBBAUAA4GBAAzynvwrgIBFMbKz7JCUMdny+rKABBtoqq6jhiEURBw2
l1gwTTBFhGzhDC74d/soahzlHPcd69iH7D/1x57o2qrDFVy2oKJFU56Tzeu+cL/C2fISx25S
58pGkwqukWaVbJIdogIicKWDHCjReo8mGkMhhwRk9zyvLlRlQhuD6fZOMIIDODCCAqGgAwIB
AgIQZkVyt8x09c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3
dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lv
bjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB
FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgy
NzIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV
BAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT
ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUq
bXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC
9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEww
KQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQI
MAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF15
1j2YwCYTYoEipxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59s
ogxYjTFCCRFssBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TY
yWJirQXGMYID1TCCA9ECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJu
IENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRD
ZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIw
MDAuOC4zMAIDCnGKMAkGBSsOAwIaBQCgggIPMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTA0MDMyNjE2MjIyMlowIwYJKoZIhvcNAQkEMRYEFDqJF6laya3z
rhxVvoUb3jNfJ9VGMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC
AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGrBgkrBgEEAYI3
EAQxgZ0wgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV
BAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT
ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCnGK
MIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rl
cm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0Eg
MjAwMC44LjMwAgMKcYowDQYJKoZIhvcNAQEBBQAEggEAXnsL3BG77L82syUXX5xbZzvMVBUC
e4q7YWQqoi6bApIAw3Gv7tMF4yIQL5UTaSonZ/Pw/koeSf2mDC23ux4+FTtCutE6MY0Wl5bY
oYDcGL+AL+fXT2f778I2ZhYIVl43X9Ghc3FwdtY/YS25V7HSpgIcARZYtKPqVDvixVuiJ7Gx
ncGhl0w/1LifkdSoLcBgznSWLH/p2wdDjPkbQC3NsE41nCcybus9LoXhj5riG+MVePmgGHy7
BTUrvslGKR1CvhnX3iHPnCYmT8UmWO/hjxmU2zM7JLeQNhdoai83uApeB4vh2hMCPuja9O7f
FmR3qfY1M/LVh0NdBGXAPFBE8AAAAAAAAA==
--------------ms080606050502070700010001--