[OpenAFS] kaserver deperecation, OpenAFS future, etc...
Thu, 19 Oct 2006 18:51:40 -0400
Harald Barth <email@example.com> writes:
> Ken wrote:
> > A formal statement by the Elders might be useful here.
> I'd like to see the following:
> * A statement. ASAP. Not later than after the next
> elders meeting.
> * The next 1.5.x release without kaserver
> * The next 1.4.y release with kaserver renamed to
> kaserver-only-use-behind-firewall so that the
> admin has actively rename it to make it work
> Unless action by the AFS admin is required (i.e. we actually take away
> the broken toy so it can not be misused), we will not be able to
> communicate "krb4 is bad and kaserver double so".
> Google for kaserver and my username and the hits will show you what
> I've been thinking about kaserver. I found my emails from 2001...
> Mmmmmmm: strncpy(strlen()), great stuff.
I'm thinking that it would be nice to have these configure options:
If done in 1.4.x -- default enabled.
When done in 1.5.x -- default disabled.
Probably we should also announce that in 1.6 (the next "stable" version
it will be disabled.
I'm not sure the wording change is necessary - I would like to think
that mentioning this in our release notes would be sufficient.
Several people said it was hard to start up afs with mit straight off.
My cheat sheet for doing this is here:
I use this regularly to set up test cells. This should take 15 minutes
to 1 hour, depending on how familiar you are with the steps and how
carefully you follow them (and assuming you don't have to look for
asetkey or a pre-existing working afs client.) My instructions
specifically avoid both using kaserver and using "-noauth". The cell
comes up with working k5 authentication from the start. The kerberos
part is I think pretty simple, and is also extensively documented by
MIT. The only painful step is pt_util. I have ideas for how to
improve that (either fix pt_util or implement pts -localauth.) There's nothing
real magical about this process -- the pt_util hack comes straight from
Sam Hartman's debian scripts.
I'm hoping something like this will make it into our documentation,
along with other basic improvements for troubleshooting. That documentation
is now in the cvs repository so that process is at least started.
If folks want to volunteer to help work on that I'm sure the assistance
would be appreciated.