[OpenAFS] AFS Token not renewable after integrated login

Sat, 28 Feb 2015 17:12:58 -0500

This is a cryptographically signed message in MIME format.

--------------ms030103000605090705080201
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Dr. Hendrik,

I apologize for the very late reply.

On 12/12/2014 4:48 PM, Dr. Hendrik Naumann wrote:
> Hi Jeffray
>
> Thanks for you detailed answer. Questions below.
>
> [deleted text]
>
> Your users are a very heterogeniuos and international group of=20
> scientists focust to there projects. Some of them even don't speak=20
> good english, nor german. Thus it is very hard for us the get though=20
> with this kind of information.=20

I suspect you meant to say "Users of OpenAFS are a very heterogeneous
and international group ...".

Instead you addressed to me, "Your users are ...".  This bothers me
because I do not have any users.  My companies have customers and those
customers can submit support and feature requests for products they
license or purchase support for.

While it is nice to hear that members of the tu-berlin.de community are
for the most part happy with software I have contributed to, they are
not my users.  They do not feed my family or those of my employees, nor
do they put a roof over their heads nor contribute to their medical
expenses.  (That last is a sore point for those of us living in a
country without nationalized health care.)

The vast majority of consumers of open source software forget that
complex software does not magically appear.  It does not maintain itself
nor does it update itself.  Unlike most consumer applications, a file
system is tightly integrated into the operating system and requires
adjustments for each and every operating system release.  That requires
not only a deep understanding of the file system but of the operating
system internals.  In the end it is people who are the software
developers, perform the testing, and in a perfect world write documentati=
on.

When I started publishing open source software in the late 1980s open
source for the most part was the product of academic institutions.
Whether it be students, research projects or to a large extent system
administration staff that developed programs to solve the hard problems
of the day.

When OpenAFS was released by IBM in 2000, it was academic institutions
that provided the staff that took the leadership roles on the Elders,
provided the Gatekeepers, wrote and tested the software and generated
binary releases and later installation packaging for Windows, OSX, and
Linux.  In 2000, the people that performed all of these activities were
paid to do so by the institutions that deployed OpenAFS.

Today, there are a decreasing number of contributors and contributions.
 Especially from individuals employed by end user institutions.  Its
been a long time since organizations have been called out for directly
helping OpenAFS so I'm going to do so.

Your File System Inc. pays the salaries of the gatekeepers, Daria
Brashear (also former Elder and Foundation Board member) and myself.  It
also pays Marc Dionne who has performed most of the work tracking the
nightly changes in the Linux mainline kernel repository.  Simon
Wilkinson who is the OpenAFS Security Officer and the leading expert in
Rx.  Your File System Inc. also pays Peter Scott and Rod Widdowson who
are contributors to the Windows client. Your File System provides a
number of Buildbot builders.

Secure Endpoints Inc. funds a large amount of the code that has been
contributed to Heimdal including work by Luke Howard, Nico Williams, and
others.  Secure Endpoints can also be thanked for Network Identity
Manager.  Heimdal is important to OpenAFS because OpenAFS imports
critical components including its cross-platform compatibility and
crypto libraries from Heimdal.

Sine Nomine Associates employs Andrew Deason, Mike Meffie (one of the
AFS3 Standardization Chairs and I believe a registrar), Mark Vitale, and
Perry Ruiter.  SNA also provides number of Buildbot builders as well as
assists with the administration of the Buildbot master.  SNA's Margarete
Zimmer is a Foundation Board member.

Carnegie Mellon employs Jeffrey Hutzelman (AFS3 Standardization Chair
and registrar), Chaskiel Grundman, and Roman Mitz (Treasurer, former
Elder and Foundation Board member).  Jeff and Chaskiel provide much of
the openafs.org infrastructure on a personal basis including all of the
mail services, the request tracker, web services, afs services, and
registrar services.)

MIT employs Ben Kaduk who is the most prolific developer in the
community at the moment.  MIT hosts a number of core services including
the OpenAFS Gerrit instance, the Buildbot master, and the master source
code repository.

DESY employs Stephan Wiesand (the 1.6 series release manager).

UNC Charlotte employs Jason Edgecombe (Buildbot manager) and Nathan
Hatley, and provides a number of Buildbot builders.

MIT's CSAIL employs Garrett Wollman and provides a number of Buildbot
builders.

IBM's Todd deSantis still participates in an official capacity as a
Foundation Board member.  He was a founding Elder.

Cornell NanoScale Science and Technology Facility employs David Botsch
(Newsletter author, Foundation Board member) and provides a number of
Builbot builders.

US Geological Survey employs David Boldt (Foundation Board member).

Naval Research Lab employs Chas Williams without whom Ben Kaduk would
probably go mad.  Chas not only contributes code but also performs a
large number of code reviews.

University of Edinburgh provides the Mock builder that generate much of
the linux packages. Edinburgh also hosted one of the recent conferences.

Rechenzentrum Garching (RZG) employs Christof Hanke who produces the
SuSE packages.

CERN has a number of contributors on staff but also hosted the most
recent conference.  Thanks enough cannot be offered enough to those who
enable conferences to take place.

Tom Keiser is a member of the Foundation Board and a former prolific
source contributor to OpenAFS during his time working for SNA.

There are other individual source code contributors.  A full list of
current and historical contributors can be viewed via OpenHub as
constructed from the source code repository.

  https://www.openhub.net/p/openafs/contributors

I want to offer explicit thanks to all of these organizations and
individuals for their contributions.

There are a broader number of organizations that purchase support or
services from commercial support providers such as Sine Nomine
Associates and Your File System Inc.  Purchasing a support agreement
should not be viewed as a contribution to OpenAFS.  Support providers
and their employees have legal obligations to their customers and
ethical obligations to those organizations that directly contribute to
OpenAFS; they do not have an obligation to the broader end user
community that takes free advantage of the work product.  That being
said, without support contracts Your File System Inc. and Sine Nomine
Associates would not exist to participate in the OpenAFS community.

> Is there any chance to implement a feature that the TGT ist just=20
> stored to some file, that later can be importet by the NIM, by a logon =

> script?

As my friend Gerry Seidman says, "with a million lines of code you can
do anything".

I have no plans to implement such a feature for OpenAFS.  For starters,
who should implement it?  Should it be part of OpenAFS?  Part of Network
Identity Manager?  Or part of the Kerberos distribution?  These
different source trees provided by three independent groups of developers=
=2E

Is stashing the Kerberos ticket in a FILE based cache the right thing to
do for all accounts?  What if Network Identity Manager is not used and
there is nothing to consume the contents of the cache and import them
into the API based credential cache?  What if the account is a Domain
account?  There are other edge cases I can come up with.

My long term plan for Heimdal on Windows is to implement an in-kernel
Kerberos credential cache that is layered on top of the AFS Redirector
AuthGroup framework.  The benefit of this approach is that the
integrated logon process can store Kerberos credentials into the
AuthGroup cache at the same time that it obtains the AFS tokens.  The
Kerberos credentials and AFS tokens are then available not only in the
logon session processes that inherit the AuthGroup but also in child
processes that run in an elevated permission state or impersonate a
calling process.  It then becomes possible for the integrated logon
provider to spawn a process to auto-renew the credentials without the
need for a Network Identity Manager style credential manager.  Such an
approach is secure, seamless and safe to deploy in all configurations.

This is a project that an organization can choose to implement on their
own and contribute to the community, hire someone to develop, or wait
until I have time to implement it for the Your File System Inc. AuriStor
client.

> Thanks
>=20
> Hendrik Naumann

Sincerely,

Jeffrey Altman

--------------ms030103000605090705080201
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINXTCC
BkIwggUqoAMCAQICEDirAC//rpa3Vv85Wvtd5xswDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0
aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJp
bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTExMDkwMTAwMDAwMFoXDTIx
MDgzMTIzNTk1OVowgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3Jh
dGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29u
YSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwg
U3Vic2NyaWJlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxuwn
/R1j9DsdisHTHMjIgoa2uEqGkqqBXHLKMA0vnkEiVzAhJZCao/SsKsaIF4ZhchN2LuwDyyeb
jyCAN+DkitpVplAP/LlcI2mJQqG6H6/vDvmkyQrx+DeyxtmSSq5937hEH5u6P4wG/tgjT0hR
I2pghKjuJy9g35byGiqMPI8AzE/L+iCOvDX24fCatgXz/B0/xhR7DtryBeTTgwKmxWlwtKnk
VunbHVz0pjbia7UeKi3cvrvuOgSwMAitX2hsxr0GloiE5+apZC28ODC7iCbDZ2ZmtLR3+cCh
xw5y72bi5bnK4POFdzWY3tQcsP5mceI4y258T0BV65fZqBge7QIDAQABo4ICRDCCAkAwOAYI
KwYBBQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vcGtpLW9jc3AudmVyaXNpZ24uY29t
MBIGA1UdEwEB/wQIMAYBAf8CAQAwbAYDVR0gBGUwYzBhBgtghkgBhvhFAQcXATBSMCYGCCsG
AQUFBwIBFhpodHRwOi8vd3d3LnN5bWF1dGguY29tL2NwczAoBggrBgEFBQcCAjAcGhpodHRw
Oi8vd3d3LnN5bWF1dGguY29tL3JwYTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnZl
cmlzaWduLmNvbS9wY2ExLWczLmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx
GjAYBgNVBAMTEVZlcmlTaWduTVBLSS0yLTk3MB0GA1UdDgQWBBSt+cOTci21uShh5KTXYNXE
Cl4aATCB8QYDVR0jBIHpMIHmoYHQpIHNMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVy
aVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsT
MShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBD
BgNVBAMTPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgLSBHM4IRAItbdVaEVIULAM+vOEjOsaQwDQYJKoZIhvcNAQEFBQADggEBANaP
wdqbiPKzbE0fWC+6AVFddMFG6MO4e5/WQPHv/zK6iWvADjRDn6SZ5qTwXUgzYoWFYf4jiCKM
YJsrnGVJlMSiOCRIpVylUEto6WIip5PomSJuPVu7EEIOH0x1RzRWCY/4vYw881y70pZwVHBi
Te/REL6dSCxe7IZrB4LwPeElJygs4BZ2HrP95WKW0oo9Xyuu+1zCE7dlY8s0dkOf1oeZq26t
lcEAP0Yngf813iMOQ9wUXzL5yinvwlIw9ZnduYH4OiUgjYJo8rkhhXRmBOGGORYy8i3WKqjJ
3tkAAk/jGCDFpYFWtpXe04Kt+HslvmR8LqC6cCz4+XXidE0HbYQwggcTMIIF+6ADAgECAhAW
xDBJuKAcJVa7b+TJhwvEMA0GCSqGSIb3DQEBBQUAMIGmMQswCQYDVQQGEwJVUzEdMBsGA1UE
ChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdv
cmsxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMg
Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNDAeFw0xNDEyMTgwMDAwMDBa
Fw0xNTEyMTkyMzU5NTlaMIHOMS4wLAYDVQQDDCVQZXJzb25hIE5vdCBWYWxpZGF0ZWQgLSAx
NDE4ODgyMzg2MTAyMSswKQYJKoZIhvcNAQkBFhxqYWx0bWFuQHlvdXItZmlsZS1zeXN0ZW0u
Y29tMQ8wDQYDVQQLDAZTL01JTUUxHjAcBgNVBAsMFVBlcnNvbmEgTm90IFZhbGlkYXRlZDEf
MB0GA1UECwwWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEdMBsGA1UECgwUU3ltYW50ZWMgQ29y
cG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCteTFLbuPm2vx85lH2
Y6LHdMIqcKQPN9m4XYVTe0L8ZvMvnJ1YQ720ET52CF18RYdTc4to92+ffdmjWlBedK4YtLam
htsUkJ6WL3krwNVTYfeej0wgF9kVQ2FI8XTNngxnJ2CRkQX4Z9/1TI4wTkSNcAw5T0Y2HKM9
4p7wAJOefl+3oPwxXn338w8T7LsfwS9FOADZ8uRItv/J7S8BJEP0XtjZZlBoSyqQ4qxl5PtI
uybHVdwoo2PlK8LxU6r8Vcje1+OXmc5VoCBlXiYDWHl/wSDtZEWR6431/az1Z45n1AHHber2
G+Ijb0nF4RLiiFMkyJl3qx+46wqcqWrjrRxDAgMBAAGjggMRMIIDDTAMBgNVHRMBAf8EAjAA
MA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwHQYD
VR0OBBYEFBUlv/9jizZz4uwaFtPzwdX6FsqwMCcGA1UdEQQgMB6BHGphbHRtYW5AeW91ci1m
aWxlLXN5c3RlbS5jb20wHwYDVR0jBBgwFoAUrfnDk3IttbkoYeSk12DVxApeGgEwggErBggr
BgEFBQcBAQSCAR0wggEZMIIBFQYIKwYBBQUHMAKGggEHbGRhcDovL2RpcmVjdG9yeS52ZXJp
c2lnbi5jb20vQ04lMjAlM0QlMjBTeW1hbnRlYyUyMENsYXNzJTIwMSUyMEluZGl2aWR1YWwl
MjBTdWJzY3JpYmVyJTIwQ0ElMjAtJTIwRzQlMkMlMjBPVSUyMCUzRCUyMFBlcnNvbmElMjBO
b3QlMjBWYWxpZGF0ZWQlMkMlMjBPVSUyMCUzRCUyMFN5bWFudGVjJTIwVHJ1c3QlMjBOZXR3
b3JrJTJDJTIwTyUyMCUzRCUyMFN5bWFudGVjJTIwQ29ycG9yYXRpb24lMkMlMjBDJTIwJTNE
JTIwVVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnkwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL3Br
aS1jcmwuc3ltYXV0aC5jb20vY2FfNTYxYzEwMzY5MGM5N2E2OTI0N2EwZWYwNzFhYzgxYWYv
TGF0ZXN0Q1JMLmNybDBsBgNVHSAEZTBjMGEGC2CGSAGG+EUBBxcBMFIwJgYIKwYBBQUHAgEW
Gmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cu
c3ltYXV0aC5jb20vcnBhMCsGCmCGSAGG+EUBEAMEHTAbBhJghkgBhvhFARABAgIEAYbHzm8W
BTEwOTIyMDkGCmCGSAGG+EUBEAUEKzApAgEAFiRhSFIwY0hNNkx5OXdhMmt0Y21FdWMzbHRZ
WFYwYUM1amIyMD0wDQYJKoZIhvcNAQEFBQADggEBAJIvoMatM56/QjaVAlEUbeWZNOPkwuiC
gaaekWJi1h33fAVfdF+WZqh7dF4hBNalyPuxRcyZX7HxuPyBc3ajDCqew9MlmCJ3Cm4Co3fZ
Yh50OX4jnem2RmpHeKbJW6zUjZcAGqV6DPMl04kgrI2whJX7729HoRyUPwZS7CZSRFZO147X
2+/JogDYKffa/+q5AwgrHYvdECHxc3Iz9KnHSmit+DhWS9t+XxE0gHr3sW7zwcQ/GYyrJ3s3
VdWHTjM+3iGFeTOI06h1aBgFR/+8fTmuZXZz9+OdWVar0Crt9bn0cFN3u00Q6YAyjYhRnbXy
zYVIOS4oJmRoK79p/xodeDUxggRSMIIETgIBATCBuzCBpjELMAkGA1UEBhMCVVMxHTAbBgNV
BAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3
b3JrMR4wHAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlN5bWFudGVj
IENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzQCEBbEMEm4oBwlVrtv5MmH
C8QwCQYFKw4DAhoFAKCCAmswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTUwMjI4MjIxMjU4WjAjBgkqhkiG9w0BCQQxFgQUv6SVOc5w6yFOxw1ZhWFGVkBp
9jswbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3
DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0D
AgIBKDCBzAYJKwYBBAGCNxAEMYG+MIG7MIGmMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3lt
YW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHjAc
BgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMgQ2xhc3Mg
MSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNAIQFsQwSbigHCVWu2/kyYcLxDCBzgYL
KoZIhvcNAQkQAgsxgb6ggbswgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBD
b3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2
aWR1YWwgU3Vic2NyaWJlciBDQSAtIEc0AhAWxDBJuKAcJVa7b+TJhwvEMA0GCSqGSIb3DQEB
AQUABIIBAEPkC+XZtu2mzTgbuW1mwAsgbe62z+bzZa+rjbMRyrmBnL4lcebGkHPPJcjqy9v7
VS4gWz6mp/CEhzW1XIFoI4pbKodU5lKEEoA4CYNtR1JJ6GNCv4gqeOGmjh7LZmCkrsYQjOVr
7bD3q1wBoW3vKjzs+f+EMpdcOBxu8tvZ5keFN6sZP8aqfjnqVI9lqNlmcjt+XHpD6eV6KoPV
zR39H4QX89P2E2KkrMwS4P1kSBlJGYIl7DM3znIOOsVFmUnluAtJ7+hbyzPvXKdnAtigqH94
HCtLPSv4UxbJyBnGu9L0ddRw0AIRpBB8c5j+gtpSxha7uDnLbf71NPtM/d0HNQAAAAAAAAA=
--------------ms030103000605090705080201--