Andrew Deason <[email protected]> writes: > I'm not familiar with this area of the code at all, but are you saying > you cannot acquire krb5 creds within an application, and (through some > GSS hoops) pass it on to rxgk? That we must have a ticket cache (e.g. > pointed to by KRB5CCNAME) available?
> I believe I am just misunderstanding you, but that is what I am hearing. It's worth noting that using KRB5CCNAME to pass credentials to GSSAPI libraries has some serious problems. For one, environment variables aren't thread-specific, so if you want multiple Apache worker threads to be using different Kerberos credential caches, you lose. The Kerberos GSSAPI libraries have some APIs to set the ticket cache, but I believe only if you have access to the GSSAPI context, which you probably won't. Also worth noting is that you are, in practice, often forcing disk-based credential caches if you have to pass Kerberos tickets into GSSAPI via KRB5CCNAME, since memory caches will fail if your application is linked with a different Kerberos library than the one your GSSAPI libraries are linked with, and other cache types such as keyring or kcm are implementation-specific. Some of these drawbacks are not particularly serious for AFS since the AFS token mechanism imposes similar limits already. But if we improve tokens down the road, they could become more serious. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
