[OpenAFS-win32-devel] Re: [OpenAFS] OpenAFS for Windows - outstanding projects report and call for testers

Jeffrey Altman jaltman@columbia.edu
Wed, 14 Jul 2004 01:13:43 -0400


This is a cryptographically signed message in MIME format.

--------------ms050905070000040507040600
Content-Type: multipart/alternative;
 boundary="------------070604030805080405020102"

This is a multi-part message in MIME format.
--------------070604030805080405020102
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

The concept of a "default cell" for the client service is very specific 
in meaning.
The default cell is the cell from which the afs client service obtains 
the root.afs volume.
There is nothing user specific about this "default".  In fact, when 
dynamic roots (freelance
mode on windows) are in use there is no "default cell" at all.  This is 
because the root.afs
volume which is used is created locally within the afs client service.

At the present time, the afs client's default cell name is also used for 
another purpose.
It is used as the default cell for user authentication in afscreds.exe, 
aklog.exe, klog.exe,
leash32.exe, etc.   However, there is no reason why there should be such 
a binding.
Especially on a multi-user system with roaming profiles.  I may want to 
have my default
authentication cell be athena.mit.edu even though the local afs client 
is bound to
secure-endpoints.com.

The windows client already supports obtaining tokens for multiple cells 
from a
single Kerberos 5 principal.  When viewed in this perspective is the 
concept of a single
default cell for authentication even desireable?  What I really want is 
for AFS to be
smart enough to know that with my jaltman@ATHENA.MIT.EDU TGT I can obtain
afs tokens for athena.mit.edu, grand.central.org, dementia.org, 
secure-endpoints.com,
etc.  In this case I don't really have a default cell, but a collection 
of cells.  When I
authenticate I want to obtain tokens for all of them.

This is the direction I am headed. 

Jeffrey Altman



Tim C. wrote:

>  I like most of the changes, and I'd like to say thanks! :)  I had a
>question about the long term projects.
>
>  
>
>>  1. No longer use AFS Client Service "cell" as the default cell for
>>individual users
>>
>>    
>>
>  What does this mean?  Is this saying that the default cell for the
>machine as a whole won't be the default cell for users?  On unix, the
>ThisCell file defines the default cell, and its the default cell for
>everyone.  Will the windows client not follow this behavior?  So people
>will be able to set their default cell?  I'm not too sure I like this.
>
>Thanks,
>  Tim
>
>-----------------------------------------------------------------------
>Tim Craig            These are my opinions and not my employers. :)
>OIT-Systems
>tim@umbc.edu         It's hard to be serious when you're
>                       naked. - Garfield
>-----------------------------------------------------------------------
>_______________________________________________
>OpenAFS-Win32-devel mailing list
>OpenAFS-Win32-devel@openafs.org
>http://lists.openafs.org/mailman/listinfo/openafs-win32-devel
>  
>

--------------070604030805080405020102
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
The concept of a "default cell" for the client service is very specific
in meaning.<br>
The default cell is the cell from which the afs client service obtains
the root.afs volume.<br>
There is nothing user specific about this "default".&nbsp; In fact, when
dynamic roots (freelance<br>
mode on windows) are in use there is no "default cell" at all.&nbsp; This is
because the root.afs<br>
volume which is used is created locally within the afs client service.<br>
<br>
At the present time, the afs client's default cell name is also used
for another purpose.<br>
It is used as the default cell for user authentication in afscreds.exe,
aklog.exe, klog.exe,<br>
leash32.exe, etc.&nbsp;&nbsp; However, there is no reason why there should be
such a binding. <br>
Especially on a multi-user system with roaming profiles.&nbsp; I may want to
have my default<br>
authentication cell be athena.mit.edu even though the local afs client
is bound to <br>
secure-endpoints.com.<br>
<br>
The windows client already supports obtaining tokens for multiple cells
from a <br>
single Kerberos 5 principal.&nbsp; When viewed in this perspective is the
concept of a single<br>
default cell for authentication even desireable?&nbsp; What I really want is
for AFS to be<br>
smart enough to know that with my <a class="moz-txt-link-abbreviated" href="mailto:jaltman@ATHENA.MIT.EDU">jaltman@ATHENA.MIT.EDU</a> TGT I can
obtain<br>
afs tokens for athena.mit.edu, grand.central.org, dementia.org,
secure-endpoints.com,<br>
etc.&nbsp; In this case I don't really have a default cell, but a collection
of cells.&nbsp; When I <br>
authenticate I want to obtain tokens for all of them.<br>
<br>
This is the direction I am headed.&nbsp; <br>
<br>
Jeffrey Altman<br>
<br>
<br>
<br>
Tim C. wrote:
<blockquote
 cite="midPine.GSO.4.58L6.0407140008080.24041@solaris1.gl.umbc.edu"
 type="cite">
  <pre wrap="">  I like most of the changes, and I'd like to say thanks! :)  I had a
question about the long term projects.

  </pre>
  <blockquote type="cite">
    <pre wrap="">  1. No longer use AFS Client Service "cell" as the default cell for
individual users

    </pre>
  </blockquote>
  <pre wrap=""><!---->  What does this mean?  Is this saying that the default cell for the
machine as a whole won't be the default cell for users?  On unix, the
ThisCell file defines the default cell, and its the default cell for
everyone.  Will the windows client not follow this behavior?  So people
will be able to set their default cell?  I'm not too sure I like this.

Thanks,
  Tim

-----------------------------------------------------------------------
Tim Craig            These are my opinions and not my employers. :)
OIT-Systems
<a class="moz-txt-link-abbreviated" href="mailto:tim@umbc.edu">tim@umbc.edu</a>         It's hard to be serious when you're
                       naked. - Garfield
-----------------------------------------------------------------------
_______________________________________________
OpenAFS-Win32-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenAFS-Win32-devel@openafs.org">OpenAFS-Win32-devel@openafs.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openafs.org/mailman/listinfo/openafs-win32-devel">http://lists.openafs.org/mailman/listinfo/openafs-win32-devel</a>
  </pre>
</blockquote>
</body>
</html>

--------------070604030805080405020102--

--------------ms050905070000040507040600
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPzCC
AvowggJjoAMCAQICAwxk8TANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTI3MTc1ODU4WhcNMDUwNTI3MTc1ODU4
WjBrMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT
SmVmZnJleSBFcmljIEFsdG1hbjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5l
ZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc3JqO5AsZrozd+mJ2mPuCTYo2
+nJ9Qq6jtUYtp7YTMW4d2Q6GLhNaHb1l9m74SxuY4f5vP6JtZjr6p9+LCCxD0w0NVLKRgUDp
z+tKFitbkJe9BSCxCURRvY3vdWA71gSCUvZAN3346hHb4oGVqgdpmfFJXYAHWpC46wiL72N9
WxySzY17/0eU0c8+r9dNoLpPQeL43O66O80jCl1qnXMaXaakZPsfm+5W90MYXhpQ1WIQpv02
lBn3BH5YE8xwbsNrw5AF4v7pjMuW85GI6FrDmfbpJX473Rpl5rmv3TpXkJ+7UsIIO1puyS8r
1o7kjDZ5EUYJxxglTGR6XL/RNzqHAgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29s
dW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAZYeVFCMP0iV+UVa0
eFoXkzMVl61CNAVY2YQ9/QQazO3G4qNiif35ArrnjPRDRj5M7WTeOCFqPVuvCttyJRiDKsEe
L4Yah22mRA3mR7x52j2FquPYZ9qCr1IhrNGzsMk+gopX5G0fTHZb6+uDu5SeMPNNcIznGA7M
CMpXAJ2PcKgwggL6MIICY6ADAgECAgMMZPEwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA0MDUyNzE3NTg1OFoXDTA1
MDUyNzE3NTg1OFowazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMx
HDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRtYW5A
Y29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3NyajuQLGa6M
3fpidpj7gk2KNvpyfUKuo7VGLae2EzFuHdkOhi4TWh29ZfZu+EsbmOH+bz+ibWY6+qffiwgs
Q9MNDVSykYFA6c/rShYrW5CXvQUgsQlEUb2N73VgO9YEglL2QDd9+OoR2+KBlaoHaZnxSV2A
B1qQuOsIi+9jfVscks2Ne/9HlNHPPq/XTaC6T0Hi+NzuujvNIwpdap1zGl2mpGT7H5vuVvdD
GF4aUNViEKb9NpQZ9wR+WBPMcG7Da8OQBeL+6YzLlvORiOhaw5n26SV+O90aZea5r906V5Cf
u1LCCDtabskvK9aO5Iw2eRFGCccYJUxkely/0Tc6hwIDAQABozEwLzAfBgNVHREEGDAWgRRq
YWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAGWH
lRQjD9IlflFWtHhaF5MzFZetQjQFWNmEPf0EGsztxuKjYon9+QK654z0Q0Y+TO1k3jghaj1b
rwrbciUYgyrBHi+GGodtpkQN5ke8edo9harj2Gfagq9SIazRs7DJPoKKV+RtH0x2W+vrg7uU
njDzTXCM5xgOzAjKVwCdj3CoMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENB
MSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcx
NzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnK
mVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8
YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4
oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowg
T2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAzswggM3AgEB
MGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMZPEw
CQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMDQwNzE0MDUxMzQzWjAjBgkqhkiG9w0BCQQxFgQU0Ll4pV4pPKHH9JYnC51gcF3p2vsw
UgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwxk8TB6BgsqhkiG9w0B
CRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AgMMZPEwDQYJKoZIhvcNAQEBBQAEggEAb//lFD5MSJ/xzsv2PRbDQT55kKBZs2EwqqE8JEUD
mPaf3tGf6eCh1hJMxzH+wey1OMrhcwHrmsuFfhVl4Bbisua5cTxzObtgBEGO9h7yUW4dVD5q
734ryvAsIbm9TiezsZifpkM92PDNW8LcQLuUiftNY1EHvFNoPGXYybe76Tj9Wo3Ds3hZ+m6W
K803BKaWCPuWvyOF2+NJuInKstfH1VF68u9CRW31SMxILcoSMdvDqLIkLF1tORGJD5Q3+XYM
gleBa908wq+DCPOl4wgMlfNMJPXVUVEjdj2lUv7wg7qffNtSIZtc0L5nGBzFuogzkLSy2+P5
aI+bjOQ/2gIxdgAAAAAAAA==
--------------ms050905070000040507040600--