[OpenAFS] Poll: how many organizations are performing principal name mappings via krb524d, gssklogd, etc?

Douglas E. Engert deengert@anl.gov
Wed, 22 Sep 2004 11:05:31 -0500


Jeffrey Altman wrote:

> Douglas E. Engert wrote:
> 
>> Could this be extended to support multiple realms?
>> There may be site where the user portion of the
>> principal from multiple realms map to the same AFS user.
>>
>> i.e. x@realm1 and x@realm2 both map to x@cell.

The point was a simple change that looks like it could satisfy
most of not all of the current users.

> 
> 
> Please see the thread "Anyone supporting multiple realms in a "all 
> realms are equal" type of setup?"

I am trying to keep up. I see he sent his 2 minutes before I sent mine.
I also responded to his, as it looks it it would work with Kerberos.

> in openafs-devel from today.
> I believe that jhutz's proposal for extending the ptserver interfaces
> to support mappings from authentication names to vice IDs is a
> reasonable direction which does not make the use of AFS dependent
> on an arbitrary service which may or may not exist depending on
> how the cell is configured and which authentication method is used.

I am saying the the token issuer/mapping service could be introduces
as a standard service of AFS, and could even use gss mech selection.

I am also saying that a lot of the overhead associated with supporting
arbitrary authentication methods can be moved to the token issuer/mapping
service that is only done once per token, rather then being spread
through all of the AFS services and client kernel. AFS can continue
to use the K5 2b tokens internally no mater how they where derived.

> 
> Jeffrey Altman
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444