[OpenAFS] Re: Authentication without aklog
Thu, 31 Jul 2014 19:00:00 -0400 (EDT)
On Thu, 31 Jul 2014, Brandon Allbery wrote:
> For what it's worth, I am seeing more people move to (or start with)
> NFSv4 and then run into the restrictions imposed by rpc.gssd and become
> frustrated. This seems to be educational as to why OpenAFS uses tokens.
I find it interesting that we are all phrasing this in terms of a
comparison to rpc.gssd ... which is a linux-specific piece of
functionality. Yes, Solaris and BSD have gssd, but they're different
implementations. To me, this represents a big dificulty for a
project as cross-platform as OpenAFS; it would probably require dedicated
effort per-platform, so we would likely end up in a fragmented state for
some (long) period of time. Then again, I guess we're already fragmented
for other things (i.e., PAGs), so maybe that's not so bad. I don't know
how many sites there are that require cross-platform feature parity, these
The improvements to the KEYRING: cache type that went into MIT krb5 1.12
help rpc.gssd out quite a bit, giving it a much better idea of what krb5
credentials are tied to which user sessions/processes/etc., but that is,
of course, linux-specific.
It's also worth mentioning that our life in this space will get harder
when rxgk comes into play.