Andrew Deason <[email protected]> writes: > Jeffrey Altman <[email protected]> wrote:
>> As with any Kerberos based GSSAPI mechanism there needs to be a >> credential cache. Even klog.krb5 uses a credential cache. It just >> destroys the contents of the cache it creates after it is finished. > This is what I didn't know. That seems crazy to me, but if that's what > we've got, it's what we've got. Well, bear in mind that one of the goals of rxgk is to have per-server credentials, so that someone can set up an AFS file server without getting the keys to the entire cell. This means that a client may have to authenticate separately with each server, which means that in a Kerberos context one cannot do the current aklog trick of getting all the service tickets one needs in advance. You instead need to give rxgk a TGT so that it can obtain new credentials to authenticate to other servers when needed. This in and of itself wouldn't require a ticket cache if there were some way for rxgk to communicate Kerberos credentials down to the Kerberos mechanism implementation through the GSSAPI API in the event that Kerberos was a supported mechanism, but this both requires mechanism-specific information in the front-end (which Simon is trying to avoid because it does make your life more complicated and runs a significant risk of breaking other mechanisms if you do it wrong), and requires a richer GSSAPI API than is normally available. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
