[OpenAFS] One more plea for a transparent Krb5 implementation of klog

John Tang Boyland boyland@solomons.cs.uwm.edu
Wed, 27 Apr 2005 15:04:31 -0500


As OpenAFS moves toward supporting Kerberos 5 natively, I would
like to make the request that it be done in the style of current AFS's
klog and not in the style of 'aklog.'

(1) aklog requires one to have specific kerberos 5 libraries
(2) aklog requires one to install kerberos 5 and maintain a /etc/krb5.conf
    on every client
(3) krb5.conf is full of cell-specific information

Currently if one has a client for one cell of AFS, it's easy to start
accessing things in a different cell given an ID and a password.  All
that would change if one had to use aklog.  The client's krb5.conf
file has to have sections added to handle the peculiarities of the new
cell.  When I've mentioned this before, I was told that why should one
worry about krb5.conf since administrators already need to do so much
else (AFS configuration for instance). Perhaps, but in this case, the
administrators would have to handle foreign cells too.

What I'd like to see is OpenAFS define a ka-forwarder on database machines
that understands Kerberos5 so that a (new) klog could use the new
Kerberos5 abilities without needing a krb5.conf.  The ka-forwarder would
need to be configured with krb5.conf stuff but only for the local
cell, and the need to do so should come as no surprise.  For clients,
CellServDB would contain all that is needed to access a foreign cell.

John