[OpenAFS] Re: foreign-realm members of system:administrators have weakened powers?

Adam Megacz megacz@cs.berkeley.edu
Sat, 28 Jan 2006 16:19:39 -0800

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>>Basically, unless I can get this to a truly zero-configuration
>>situation for users, my project is not gonna fly.  It's just the
>>realities of how things are.

> It's not like it's completely zero-conf now (except maybe under MacOS X).
> You still have to distribute various Kerberos & AFS bits for people.

To clarify, I need to point them at an installer on openafs.org that
they can double click (with a strong preference for being able to
accept all the default options).  This is for Windows and MacOS users;
the Linux users know what they're doing (I hope).

On MacOS, I currently have achieved this goal (hooray!), although I'm
still a bit confused about why it actually works (gift horse? mouth?).
On Windows this cell-to-realm thing is the last remaining issue,
assuming that the get-my-tokens gui uses the same underlying algorithm
as aklog.exe.

> I simplify the matter by using a customized Kerberos distribution.

Yeah, I thought about that...  users get more suspicious when I ask
them to install my personally-packaged version of some software.  I'm
not their "primary" system/network administrator.  (I know this is a
rather silly approach to trust+security, but that's user psychology
for you).  This would be even more difficult with industrial
researchers we collaborate with; they're incredibly paranoid about
installing stuff.  Perhaps with good reason.

> I realized a long time ago it's simpler just to distribute my own
> software rather than fight a battle I'm not going to win.

Yeah, currently my last hope is the hack of having a bogus primary
AFSDB entry to get the strip-the-first-component-and-upcase-it
heuristic to work.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380