Nicolas Williams wrote:
> On Wed, Mar 29, 2006 at 03:24:24PM -0600, Will Fiveash wrote: > >>On Wed, Mar 29, 2006 at 10:02:54AM -0600, Douglas E. Engert wrote: >> >>>If you really wanted to get this to work better, add a parameter >>>on to your pam_krb5 to support this, and have it set the KRB5CCNAME. >> >>Suggestion noted. > > > Sure, but not enough -- the kernel-land kgssapi/krb5 code and gssd can't > use KRB5CCNAME to find a Secure NFS client process' ccache. > > We really need a concept like the AFS PAG... Can you do anything like what DCE/DFS used to do? In response to a note on the OpenAFS mailing list commenting on the disjoint use of PAGS and ticket caches I pointed out DCE had a middle ground approach to keep the PAGs and ticket caches in sync. > Henry B. Hotz wrote: > >> >> You know the only thing that would *really* satisfy me is if Kerberos >> and AFS used the same ticket/token storage mechanism, and that >> mechanism had all the properties of PAG's (and there were proper >> tools for dealing with the storage). None of the three camps have >> made fundamentally wrong design decisions, but I hate the results. >> > > Sounds like what DCE/DFS did. The Kerberos tickets where stored > in a well known location, with the PAG number as part of the file name. > /opt/dcelocal/var/security/creds/deccred_xxxxxxxx where xxxxxxxx was > the PAG. Then the kernel could tell dced (something > like afsd) to fetch a ticket from the cache or even get additional tickets > and renew tickets. This also allowed DFS to use a separate principal > for each server. This is kind of what Windows does too with cifs/servername > principals. So it can be done. > > Other applications could use the tickets in the cache by seting the > KRB5CCNAME to point at the deccred_xxxxxxxx. So "Kerberos and DFS used the > same ticket/token storage mechanism." > >> I'll shut up now. I think we've beat this horse to death. > > It may not be dead, just turned out to pasture to early. -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
