Jeffrey Hutzelman wrote:
On Friday, February 23, 2007 09:23:21 AM -0600 "Douglas E. Engert"
<[EMAIL PROTECTED]> wrote:
So getting 100,000 in equipment is only part of it. If you are
willing to state a desire to taget OpenSolaris, Sun should be willing
to state a desire to integration of AFS credential handling
in there products too, like ssh delegation of credentials to get
AFS tokens, and having home directories in AFS.
Doug, it's worth noting that the sorts of people who can give away
equipment often have little or no control over things like operating
system development, and asking for such things is at best useless.
But it is worth asking, to make sure even within Sun one hand knows
what the other is doing.
On the other hand, we have plenty of contacts within Sun to help us with
issues like this, and OpenSolaris, like OpenAFS, is an open-source
software project in which any of us can participate.
Yes, I know many of them... and have Bcc'ed Nico and Willys on this note.
Incidentally, it should be noted that Sun's ssh supports GSS-API
userauth and key exchange out of the box, including credential
delegation, and that its PAM support is considerably better than that of
OpenSSH.
Yes as you must already know we are using the Solaris 10 ssh and sshd, and
Solaris Kerberos with great success, but its not perfect. Sun insists on
using the default ticket cache for a user: krb5cc_<uid> rather then a
session based cache for each sshd session. They also insist on updating
only the TGT in a cache when it is acquired, rather then discarding
all the other tickets, so they will be re obtained using the
new TGT. This has implications for aklog, as it can end up using
a ticket that will expire a lot sooner then expected. It also has
implications after a screen unlock. You also donm't want
one session deleting the cache!
I have expressed my concerns to Nico on these issues over the years.
So to force sshd to use a session based cache we added a
"pam_krb5_cache.so.1 cache=/tmp/krb5cc_%u_%p" to set the cache name.
We also are using tha pam_afs2.so to get the PAG and token.
Also as you must already know, I have bee bugging them to
release the Kerberos header files for Solaris 10, so one could
compile *aklog* using the Solaris Kerberos. (This is reported to be
in "update 4". looks like this might be another 6 months!)
We have ben using OpenSolaris Kerberos header files with Solaris 10,
and so far it works.
As for home directories; we've been putting users' home
directories in AFS for O(15) years, though we only appear to have been
supporting Solaris since 1995. If you have specific issues, please
describe them instead of asking that Sun be "willing to state a desire"
for things to work that already do.
There are still issues with having to have an AFS token before any
files in the home directory are accessed, even the .k5login. Since this
is a general OS problem.
The point is things don't work as well as they could, partly because the
OS developers don't use AFS. This "acceptance of a "gift" might be the
time to get Sun to look a little closer at how things really work.
-- Jeff
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
