[OpenAFS] Re: what is aklog's algorithm for "deducing" what
cell to authenticate to?
Fri, 30 Dec 2005 16:37:22 -0500
On Wednesday, December 28, 2005 01:44:26 PM -0500 Jeffrey Altman
> A good solution for this would be to provide a new RPC that can be sent
> to any AFS service that requires authentication that would return a
> list of local authentication domains:
> * Kerberos 4: KERBEROS.REALM
> * Kerberos 5: KERBEROS.REALM
> * Kerberos 5: ANOTHER.REALM
> Then aklog could obtain the list of AFSDB records and query the servers
No, that would be a horrible solution. It's terribly insecure, and
introduces Kerberos-specific behavior at a time when we're trying to move
forward with a mechanism-independent security class. Really, Jeff, you
should know better.