[OpenAFS] Re: Any budding documentation writers

Russ Allbery rra@stanford.edu
Wed, 03 Mar 2010 12:37:27 -0800


Andrew Deason <adeason@sinenomine.net> writes:

> I'm not familiar with this area of the code at all, but are you saying
> you cannot acquire krb5 creds within an application, and (through some
> GSS hoops) pass it on to rxgk? That we must have a ticket cache (e.g.
> pointed to by KRB5CCNAME) available?

> I believe I am just misunderstanding you, but that is what I am hearing.

It's worth noting that using KRB5CCNAME to pass credentials to GSSAPI
libraries has some serious problems.  For one, environment variables
aren't thread-specific, so if you want multiple Apache worker threads to
be using different Kerberos credential caches, you lose.  The Kerberos
GSSAPI libraries have some APIs to set the ticket cache, but I believe
only if you have access to the GSSAPI context, which you probably won't.

Also worth noting is that you are, in practice, often forcing disk-based
credential caches if you have to pass Kerberos tickets into GSSAPI via
KRB5CCNAME, since memory caches will fail if your application is linked
with a different Kerberos library than the one your GSSAPI libraries are
linked with, and other cache types such as keyring or kcm are
implementation-specific.

Some of these drawbacks are not particularly serious for AFS since the AFS
token mechanism imposes similar limits already.  But if we improve tokens
down the road, they could become more serious.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>