[OpenAFS] Hardware Grants from Sun

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 23 Feb 2007 16:18:35 -0500


On Friday, February 23, 2007 12:03:58 PM -0600 "Douglas E. Engert" 
<deengert@anl.gov> wrote:

> So to force sshd to use a session based cache we added a
> "pam_krb5_cache.so.1 cache=/tmp/krb5cc_%u_%p" to set the cache name.

Horray for extensibility!


> Also as you must already know, I have bee bugging them to
> release the Kerberos header files for Solaris 10, so one could
> compile *aklog* using the Solaris Kerberos. (This is reported to be
> in "update 4". looks like this might be another 6 months!)
> We have ben using OpenSolaris Kerberos header files with Solaris 10,
> and so far it works.

There are krb5 headers in /usr/include/kerberosV5 on my snv_56 box.

>> As for home directories; we've been putting users' home
>> directories in AFS for O(15) years, though we only appear to have been
>> supporting Solaris since 1995. If you have specific issues, please
>> describe them instead of asking that Sun be "willing to state a desire"
>> for things to work that already do.
>
> There are still issues with having to have an AFS token before any
> files in the home directory are accessed, even the .k5login. Since this
> is a general OS problem.

That's hardly specific to Solaris, nor really something Sun can do anything 
about, short of using a different authorization model.  My usual 
recommended answer to this problem is to be less fascist about home 
directory ACL's, but of course that's not for everyone.


> The point is things don't work as well as they could, partly because the
> OS developers don't use AFS. This "acceptance of a "gift" might be the
> time to get Sun to look a little closer at how things really work.

Bear in mind that at the moment, we're not talking about whether we should 
accept a grant.  We're talking about whether we should ask for one.  (In 
fact, even that isn't really a topic for openafs-info, but it's too late to 
do anything about that now).

-- Jeff