[OpenAFS] AFS Token not renewable after integrated login
Sat, 28 Feb 2015 17:12:58 -0500
This is a cryptographically signed message in MIME format.
Content-Type: text/plain; charset=utf-8
I apologize for the very late reply.
On 12/12/2014 4:48 PM, Dr. Hendrik Naumann wrote:
> Hi Jeffray
> Thanks for you detailed answer. Questions below.
> [deleted text]
> Your users are a very heterogeniuos and international group of=20
> scientists focust to there projects. Some of them even don't speak=20
> good english, nor german. Thus it is very hard for us the get though=20
> with this kind of information.=20
I suspect you meant to say "Users of OpenAFS are a very heterogeneous
and international group ...".
Instead you addressed to me, "Your users are ...". This bothers me
because I do not have any users. My companies have customers and those
customers can submit support and feature requests for products they
license or purchase support for.
While it is nice to hear that members of the tu-berlin.de community are
for the most part happy with software I have contributed to, they are
not my users. They do not feed my family or those of my employees, nor
do they put a roof over their heads nor contribute to their medical
expenses. (That last is a sore point for those of us living in a
country without nationalized health care.)
The vast majority of consumers of open source software forget that
complex software does not magically appear. It does not maintain itself
nor does it update itself. Unlike most consumer applications, a file
system is tightly integrated into the operating system and requires
adjustments for each and every operating system release. That requires
not only a deep understanding of the file system but of the operating
system internals. In the end it is people who are the software
developers, perform the testing, and in a perfect world write documentati=
When I started publishing open source software in the late 1980s open
source for the most part was the product of academic institutions.
Whether it be students, research projects or to a large extent system
administration staff that developed programs to solve the hard problems
of the day.
When OpenAFS was released by IBM in 2000, it was academic institutions
that provided the staff that took the leadership roles on the Elders,
provided the Gatekeepers, wrote and tested the software and generated
binary releases and later installation packaging for Windows, OSX, and
Linux. In 2000, the people that performed all of these activities were
paid to do so by the institutions that deployed OpenAFS.
Today, there are a decreasing number of contributors and contributions.
Especially from individuals employed by end user institutions. Its
been a long time since organizations have been called out for directly
helping OpenAFS so I'm going to do so.
Your File System Inc. pays the salaries of the gatekeepers, Daria
Brashear (also former Elder and Foundation Board member) and myself. It
also pays Marc Dionne who has performed most of the work tracking the
nightly changes in the Linux mainline kernel repository. Simon
Wilkinson who is the OpenAFS Security Officer and the leading expert in
Rx. Your File System Inc. also pays Peter Scott and Rod Widdowson who
are contributors to the Windows client. Your File System provides a
number of Buildbot builders.
Secure Endpoints Inc. funds a large amount of the code that has been
contributed to Heimdal including work by Luke Howard, Nico Williams, and
others. Secure Endpoints can also be thanked for Network Identity
Manager. Heimdal is important to OpenAFS because OpenAFS imports
critical components including its cross-platform compatibility and
crypto libraries from Heimdal.
Sine Nomine Associates employs Andrew Deason, Mike Meffie (one of the
AFS3 Standardization Chairs and I believe a registrar), Mark Vitale, and
Perry Ruiter. SNA also provides number of Buildbot builders as well as
assists with the administration of the Buildbot master. SNA's Margarete
Zimmer is a Foundation Board member.
Carnegie Mellon employs Jeffrey Hutzelman (AFS3 Standardization Chair
and registrar), Chaskiel Grundman, and Roman Mitz (Treasurer, former
Elder and Foundation Board member). Jeff and Chaskiel provide much of
the openafs.org infrastructure on a personal basis including all of the
mail services, the request tracker, web services, afs services, and
MIT employs Ben Kaduk who is the most prolific developer in the
community at the moment. MIT hosts a number of core services including
the OpenAFS Gerrit instance, the Buildbot master, and the master source
DESY employs Stephan Wiesand (the 1.6 series release manager).
UNC Charlotte employs Jason Edgecombe (Buildbot manager) and Nathan
Hatley, and provides a number of Buildbot builders.
MIT's CSAIL employs Garrett Wollman and provides a number of Buildbot
IBM's Todd deSantis still participates in an official capacity as a
Foundation Board member. He was a founding Elder.
Cornell NanoScale Science and Technology Facility employs David Botsch
(Newsletter author, Foundation Board member) and provides a number of
US Geological Survey employs David Boldt (Foundation Board member).
Naval Research Lab employs Chas Williams without whom Ben Kaduk would
probably go mad. Chas not only contributes code but also performs a
large number of code reviews.
University of Edinburgh provides the Mock builder that generate much of
the linux packages. Edinburgh also hosted one of the recent conferences.
Rechenzentrum Garching (RZG) employs Christof Hanke who produces the
CERN has a number of contributors on staff but also hosted the most
recent conference. Thanks enough cannot be offered enough to those who
enable conferences to take place.
Tom Keiser is a member of the Foundation Board and a former prolific
source contributor to OpenAFS during his time working for SNA.
There are other individual source code contributors. A full list of
current and historical contributors can be viewed via OpenHub as
constructed from the source code repository.
I want to offer explicit thanks to all of these organizations and
individuals for their contributions.
There are a broader number of organizations that purchase support or
services from commercial support providers such as Sine Nomine
Associates and Your File System Inc. Purchasing a support agreement
should not be viewed as a contribution to OpenAFS. Support providers
and their employees have legal obligations to their customers and
ethical obligations to those organizations that directly contribute to
OpenAFS; they do not have an obligation to the broader end user
community that takes free advantage of the work product. That being
said, without support contracts Your File System Inc. and Sine Nomine
Associates would not exist to participate in the OpenAFS community.
> Is there any chance to implement a feature that the TGT ist just=20
> stored to some file, that later can be importet by the NIM, by a logon =
As my friend Gerry Seidman says, "with a million lines of code you can
I have no plans to implement such a feature for OpenAFS. For starters,
who should implement it? Should it be part of OpenAFS? Part of Network
Identity Manager? Or part of the Kerberos distribution? These
different source trees provided by three independent groups of developers=
Is stashing the Kerberos ticket in a FILE based cache the right thing to
do for all accounts? What if Network Identity Manager is not used and
there is nothing to consume the contents of the cache and import them
into the API based credential cache? What if the account is a Domain
account? There are other edge cases I can come up with.
My long term plan for Heimdal on Windows is to implement an in-kernel
Kerberos credential cache that is layered on top of the AFS Redirector
AuthGroup framework. The benefit of this approach is that the
integrated logon process can store Kerberos credentials into the
AuthGroup cache at the same time that it obtains the AFS tokens. The
Kerberos credentials and AFS tokens are then available not only in the
logon session processes that inherit the AuthGroup but also in child
processes that run in an elevated permission state or impersonate a
calling process. It then becomes possible for the integrated logon
provider to spawn a process to auto-renew the credentials without the
need for a Network Identity Manager style credential manager. Such an
approach is secure, seamless and safe to deploy in all configurations.
This is a project that an organization can choose to implement on their
own and contribute to the community, hire someone to develop, or wait
until I have time to implement it for the Your File System Inc. AuriStor
> Hendrik Naumann
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature