[OpenAFS] Administrators with a slash

Ciprian Dorin Craciun ciprian.craciun@gmail.com
Wed, 6 Mar 2019 15:28:10 +0200

On Wed, Mar 6, 2019 at 7:16 AM Benjamin Kaduk <kaduk@mit.edu> wrote:
> To a large extent, getting Kerberos set up is pretty much drop it in and
> switch it on, but there's a lot of flexibility about principal names,
> especially for administrative operations.  Getting it integrated with
> OpenAFS is mostly about having the right 'pts createuser's happen to
> register users, and creating the afs/cellname.fqdn principal to go in the
> rxkad.keytab and/or KeyFileExt -- at this point, AFS is just a regular
> kerberized service and doesn't require special treatment on the Kerberos
> side for the service principals.

Indeed this was my experience also, the Kerberos deployment was quite
trivial (once I've done it);  however in seemed (and still seems) that
I've "lost" something along the way because I lack the proper know-how
and expertise with Kerberos.

> I don't know of specific documentation for this, no.
> I think that many sites running Kerberos+AFS have some homegrown database
> management system that handles both and keeps them synchronized.

And this is unfortunate, especially since deploying OpenAFS "seems" a
daunting task for the small cell operator, or one that just wants to
"play" with the technology.  I say "seems" because deploying an
OpenAFS server can be done quite quickly with a couple of copy-pastes.

Perhaps (if I'll have time) I will prepare a small hands-on tutorial
on deploying OpenAFS on a Linux server.  (I know that there already
exists the "Quick Starting UNIX Guide", however it is far from
"quick"...)  :)

> > > Of course, rxgk will let us use fancier names for things, so we'll have to
> > > get used to a whole new world order when that finishes landing...
> >
> > Could you elaborate more on this?
> The short form is that we'll be able to use (encoded) GSS principal
> names in the UserList file.  It looks like the details haven't made it into
> the UserList.pod documentation yet (unsurprising, since the code to
> authenticate as them isn't in place yet), but the format includes a base64
> encoded version of the GSS exported name.

Basically it means one could use something alternative to Kerberos for
authentication?  (Something that is GSS-compliant?)