[OpenAFS] Puzzler: lack of access to AFS files
Douglas E. Engert
deengert@anl.gov
Wed, 12 Dec 2007 14:37:43 -0600
John Hascall wrote:
>> John Hascall wrote:
>>> Would it work to modify the KDC such that when it hands out
>>> an afs/<cell>@REALM ticket for a TGT with a client name that
>>> is in the sconv table (like my sysadmin/asw.iastate.edu@IASTATE.EDU)
>>> that it 'K4-izes' that name (to sysadmin/asw in this case) in the
>>> returned ticket? (Thus obviating the need to futz with the code
>>> on every AFS server.)
>
>>> Or is that just too hideous?
>
>> Sounds like the tail waging the dog. There are KDCs used with AFS
>> that are not modifiable, and don't support any k4. You don't want to
>> fiddle with the K5 protocols either. the Its time to get AFS 'k5-izes'.
>
> Yes, it would be lovely if AFS was 100% K5.
The hint was to the AFS developers, that it is time, and some of us
use KDCs that are not modifiable.
> (If it was, all this would
> already be working!) But, that's not something *I* can make happen.
> I can, however, modify my KDC. And I'm not sure why I would
> (a) care about KDCs used with AFS that are not modifiable, or
> (b) care about lack of K4 support in the KDC.
Yes you can but then you have a local mod, and eventially AFS will
add the code to support k5 principals.
As Jeff said, aklog -524 would work or if you are still using
gssklog, the gssklogd has a mapping that would also work :-)
(No new work is being done on gssklog.)
You other fix, use single valued principals might be the best bet.
>
> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444