[OpenAFS] Re: Authentication without aklog

[Benjamin Kaduk]

On Thu, 31 Jul 2014, Brandon Allbery wrote:

> For what it's worth, I am seeing more people move to (or start with)
> NFSv4 and then run into the restrictions imposed by rpc.gssd and become
> frustrated. This seems to be educational as to why OpenAFS uses tokens.

I find it interesting that we are all phrasing this in terms of a 
comparison to rpc.gssd ... which is a linux-specific piece of 
functionality.  Yes, Solaris and BSD have gssd, but they're different 
implementations.  To me, this represents a big dificulty for a 
project as cross-platform as OpenAFS; it would probably require dedicated 
effort per-platform, so we would likely end up in a fragmented state for 
some (long) period of time.  Then again, I guess we're already fragmented 
for other things (i.e., PAGs), so maybe that's not so bad.  I don't know 
how many sites there are that require cross-platform feature parity, these 
days.

The improvements to the KEYRING: cache type that went into MIT krb5 1.12 
help rpc.gssd out quite a bit, giving it a much better idea of what krb5 
credentials are tied to which user sessions/processes/etc., but that is, 
of course, linux-specific.

It's also worth mentioning that our life in this space will get harder 
when rxgk comes into play.

-Ben