[OpenAFS] Hardware Grants from Sun
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 23 Feb 2007 16:18:35 -0500
On Friday, February 23, 2007 12:03:58 PM -0600 "Douglas E. Engert"
<deengert@anl.gov> wrote:
> So to force sshd to use a session based cache we added a
> "pam_krb5_cache.so.1 cache=/tmp/krb5cc_%u_%p" to set the cache name.
Horray for extensibility!
> Also as you must already know, I have bee bugging them to
> release the Kerberos header files for Solaris 10, so one could
> compile *aklog* using the Solaris Kerberos. (This is reported to be
> in "update 4". looks like this might be another 6 months!)
> We have ben using OpenSolaris Kerberos header files with Solaris 10,
> and so far it works.
There are krb5 headers in /usr/include/kerberosV5 on my snv_56 box.
>> As for home directories; we've been putting users' home
>> directories in AFS for O(15) years, though we only appear to have been
>> supporting Solaris since 1995. If you have specific issues, please
>> describe them instead of asking that Sun be "willing to state a desire"
>> for things to work that already do.
>
> There are still issues with having to have an AFS token before any
> files in the home directory are accessed, even the .k5login. Since this
> is a general OS problem.
That's hardly specific to Solaris, nor really something Sun can do anything
about, short of using a different authorization model. My usual
recommended answer to this problem is to be less fascist about home
directory ACL's, but of course that's not for everyone.
> The point is things don't work as well as they could, partly because the
> OS developers don't use AFS. This "acceptance of a "gift" might be the
> time to get Sun to look a little closer at how things really work.
Bear in mind that at the moment, we're not talking about whether we should
accept a grant. We're talking about whether we should ask for one. (In
fact, even that isn't really a topic for openafs-info, but it's too late to
do anything about that now).
-- Jeff