On Fri, 1 Aug 2014 07:02:34 -0400 chas williams - CONTRACTOR <[email protected]> wrote:
> On Thu, 31 Jul 2014 15:29:47 -0500 > Andrew Deason <[email protected]> wrote: > > > The first time I heard this I was a bit surprised, but that may be just > > because I'm very used to the 'aklog' approach and find it intuitive. You > > need to tell the kernel what credentials you want it to use for AFS > > access; makes sense to me. > > Usually, aklog is handled transparently here, either via MIT's krb5 > login (et al) client calling out to aklog or via pam_krb5. This isn't "transparent" for the administrator, though. You had to install an afs-specific pam module, or specify that something runs aklog; something like that. (And of course, that's only for things that run through PAM.) > > The alternative is to effectively "guess" what credentials we should > > be using, which is what NFSv4 does (rpc.gssd).[...] > > Not impossible for Linux. I believe that the Linux keyring code > allows for down calls from the kernel to user space in order to ask > something to insert the appropriate keys (see keys-request-key.txt in > the Linux kernel). We can do a userspace upcall on any platform; that's not the hard part... -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
