[OpenAFS] Hardware Grants from Sun

Douglas E. Engert deengert@anl.gov
Fri, 23 Feb 2007 16:22:22 -0600 

Jeffrey Hutzelman wrote:
> 
> 
> On Friday, February 23, 2007 12:03:58 PM -0600 "Douglas E. Engert" 
> <deengert@anl.gov> wrote:
> 
>> So to force sshd to use a session based cache we added a
>> "pam_krb5_cache.so.1 cache=/tmp/krb5cc_%u_%p" to set the cache name.
> 
> Horray for extensibility!
> 
> 
>> Also as you must already know, I have bee bugging them to
>> release the Kerberos header files for Solaris 10, so one could
>> compile *aklog* using the Solaris Kerberos. (This is reported to be
>> in "update 4". looks like this might be another 6 months!)
>> We have ben using OpenSolaris Kerberos header files with Solaris 10,
>> and so far it works.
> 
> There are krb5 headers in /usr/include/kerberosV5 on my snv_56 box.

On my Ultra 25 with Solaris 10 and every other Solaris 10 box, they
just have the two MIT copyright files.

> 
>>> As for home directories; we've been putting users' home
>>> directories in AFS for O(15) years, though we only appear to have been
>>> supporting Solaris since 1995. If you have specific issues, please
>>> describe them instead of asking that Sun be "willing to state a desire"
>>> for things to work that already do.
>>
>> There are still issues with having to have an AFS token before any
>> files in the home directory are accessed, even the .k5login. Since this
>> is a general OS problem.
> 
> That's hardly specific to Solaris, nor really something Sun can do 
> anything about, short of using a different authorization model.  My 
> usual recommended answer to this problem is to be less fascist about 
> home directory ACL's, but of course that's not for everyone.
> 

Same here. Symlinks to a .Dotfile directory. Messy but works.
(My home directory has been in AFS since 1992.)
But until this general problem can be solved on *all* platforms
one can not tighten down the ACLs on the home directory. Maybe
get Sun do somehting about it on their systems. NFSv4 should
have the same problem, so maybe they will.

> 
>> The point is things don't work as well as they could, partly because the
>> OS developers don't use AFS. This "acceptance of a "gift" might be the
>> time to get Sun to look a little closer at how things really work.
> 
> Bear in mind that at the moment, we're not talking about whether we 
> should accept a grant.  We're talking about whether we should ask for 
> one.  (In fact, even that isn't really a topic for openafs-info, but 
> it's too late to do anything about that now).
> 
> -- Jeff
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444