[OpenAFS] Re: final prerequesite for world domination

Adam Megacz megacz@cs.berkeley.edu
Thu, 29 Dec 2005 20:44:20 -0800

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> zeroauth (for lack of a better term) is a completely different matter.

I agree.  I think the point I'm trying to make is that this is outside
the scope of what I'm proposing, and that modularity is good.

What I'm saying is that you should be able to keep your authentication
policies, but that other sites should be able to choose different
policies and still be able to use AFS.

>>> You just accept any username, create a KDC entry for them,
>> Only the KDC admin can do this.
> Well, there _is_ cross-realm authentication, of course.

That requires N^2 entries, administrator intervention, and excludes
people who don't belong to a Kerberos cell.  So while it is certainly
nice where it works, there are a lot of situations where it doesn't.

> While I am pretty liberal with who we cross-realm with, that does
> not extend to users using those realms.

Hrm, I'm not quite sure how to interpret this...

  - a