[OpenAFS] Re: Any budding documentation writers
Wed, 3 Mar 2010 19:34:55 +0000
On 3 Mar 2010, at 19:13, Russ Allbery wrote:
> Er, many OpenAFS users do not have simple control over their Kerberos
> configuration without duplicating it and setting environment
> And for debugging purposes, it's obnoxious to have to make a
> separate copy
> of krb5.conf and mess around with the environment variable whose
> name I
> always put the wrong number of underscores in, rather than just
> using a
> command-line flag.
Actually, I'm not sure that GSSAPI will let us do this. A
GSS_C_NT_HOSTBASED_SERVICE is defined as being "service@hostname",
with no provision for specifying a realm.
We could define the acceptor identity as a GSS_KRB5_NT_PRINCIPAL_NAME,
but that completely ties us to using Kerberos as the GSSAPI mechanism.
It's not clear to me whether a name defined using one OID can be
portably used by an endpoint expecting a different OID.