[OpenAFS] Re: Any budding documentation writers

Simon Wilkinson sxw@inf.ed.ac.uk
Wed, 3 Mar 2010 19:34:55 +0000


On 3 Mar 2010, at 19:13, Russ Allbery wrote:

> Er, many OpenAFS users do not have simple control over their Kerberos
> configuration without duplicating it and setting environment  
> variables.
> And for debugging purposes, it's obnoxious to have to make a  
> separate copy
> of krb5.conf and mess around with the environment variable whose  
> name I
> always put the wrong number of underscores in, rather than just  
> using a
> command-line flag.

Actually, I'm not sure that GSSAPI will let us do this. A  
GSS_C_NT_HOSTBASED_SERVICE is defined as being "service@hostname",  
with no provision for specifying a realm.
We could define the acceptor identity as a GSS_KRB5_NT_PRINCIPAL_NAME,  
but that completely ties us to using Kerberos as the GSSAPI mechanism.  
It's not clear to me whether a name defined using one OID can be  
portably used by an endpoint expecting a different OID.
S.