Russ Allbery wrote:
Jeffrey Hutzelman <[EMAIL PROTECTED]> writes:
No it doesn't. All it needs is a relatively simple library which
provides a way to check for the presence of AFS and to make AFS system
calls, particularly setpag and pioctl.
Conveniently, heimdal comes with such a library; it's called libkafs and
includes functions like k_hasafs(), k_pioctl(), k_unlog(), and
k_setpag(). IIRC, Derrick used to distribute a standalone version of
this library for people not using Heimdal, but it's probably pretty
stale by now.
Certainly such a library would be useful. If someone wants to implement
it without all of the dependencies that Heimdal libkafs has, I'd be all in
favor of it. Heimdal's libkafs has significant dependencies and isn't
really suitable for use outside of a system built with Heimdal in general.
Ugh. lsetpag() is not really intended to be a public interface. The
public interface provided by AFS is called setpag().
Providing setpag in a shared library that's actually maintainable is,
right now, unfeasible in OpenAFS without a great deal of work. If you
don't agree, please do say so, but I looked at it somewhat seriously and
it was way more work that I thought was likely to happen. It requires,
for instance, pulling in all of Rx.
I agree, setpag has too much baggage added for the translator I believe.
lsetpag is basiclly a syscall.
Doing that work requires caring way more about the NFS translator than I
do, I'm afraid.
Also, I'd suggest that instead of a shared library containing only
lsetpag, it might be better to provide a library containing the
functions I named above, with the same API that the KTH folks have been
distributing for years.
I think it would be better, yes, but it's a lot more work if you want to
really match APIs, since that requires providing krb_afslog and
krb5_afslog.
Setting of the PAG has little to do with Kerberos, and no Kerberos
code is need to set the PAG. The idea is to get the PAG at the daemon
process, then later on in other processes or even in the same process add tokens
under the PAG.
Basically, we'd be talking about taking most of aklog and putting it in a
library. Which isn't at all a bad idea, but it's a larger project, and
I'd really like to see a solution for this in the shorter term. Long
term, absolutely, I think that's a fine idea, and if we can keep it
API-compatible with Heimdal, that would be awesome.
Yes, aklog in a library, fine, but keep the setting of the PAG separate.
Ideally, you would like the setting of the PAG to be so trivial, that
any vendor would always add this into all of their daemons, even if
AFS was not present.
If you want something short term, see the gafstoken which is used
by pam_afs2. It traps SIGSYS and SIGSEGV, then does a syscall,
on linux, tries the open(PROC_SYSCALL_FNAME, O_RDWR); and
open(PROC_SYSCALL_ARLA_FNAME, O_RDWR); first, then tries a syscall.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
