[OpenAFS] Re: foreign-realm members of system:administrators have weakened
Sat, 28 Jan 2006 16:19:39 -0800
Ken Hornstein <firstname.lastname@example.org> writes:
>>Basically, unless I can get this to a truly zero-configuration
>>situation for users, my project is not gonna fly. It's just the
>>realities of how things are.
> It's not like it's completely zero-conf now (except maybe under MacOS X).
> You still have to distribute various Kerberos & AFS bits for people.
To clarify, I need to point them at an installer on openafs.org that
they can double click (with a strong preference for being able to
accept all the default options). This is for Windows and MacOS users;
the Linux users know what they're doing (I hope).
On MacOS, I currently have achieved this goal (hooray!), although I'm
still a bit confused about why it actually works (gift horse? mouth?).
On Windows this cell-to-realm thing is the last remaining issue,
assuming that the get-my-tokens gui uses the same underlying algorithm
> I simplify the matter by using a customized Kerberos distribution.
Yeah, I thought about that... users get more suspicious when I ask
them to install my personally-packaged version of some software. I'm
not their "primary" system/network administrator. (I know this is a
rather silly approach to trust+security, but that's user psychology
for you). This would be even more difficult with industrial
researchers we collaborate with; they're incredibly paranoid about
installing stuff. Perhaps with good reason.
> I realized a long time ago it's simpler just to distribute my own
> software rather than fight a battle I'm not going to win.
Yeah, currently my last hope is the hack of having a bogus primary
AFSDB entry to get the strip-the-first-component-and-upcase-it
heuristic to work.
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380