Well, is anything really transparent for the administrator? Especially w.r.t. AFS, where the admin has to also configure the ThisCell, the afs cache size (pre-allocate a cache partition, too, on linux), edit ThisCell to be reasonable, and set numerous other client options (config files on mac and linux and "ew" registry on Windows)?
A GUI installer/config doo-hickey would certainly be nice, of course, for the less tech saavy administrator or the end user trying to install AFS and needing to configure some of those other options (esp, again, on non Windows/Mac). I enjoy the cell input dialog and the windows gui installer. But, for more managed installations, I'm also glad that on linux they aren't required (just install the rpm and push out some config files). W.r.t. PAM, I like the idea of AFS being just another PAM module, versus some other mechanism that's different from anything else. Could AFS work like other Kerberos apps with more direct use of kerberos tickets and just getting the service ticket when needed, versus having to do something extra (ie aklog)? Dunno. Would be nice, but not required, IMHO, as long as the user experience is sane. On Fri, Aug 01, 2014 at 09:40:39AM -0500, Andrew Deason wrote: > On Fri, 1 Aug 2014 07:02:34 -0400 > chas williams - CONTRACTOR <[email protected]> wrote: > > > On Thu, 31 Jul 2014 15:29:47 -0500 > > Andrew Deason <[email protected]> wrote: > > > > > The first time I heard this I was a bit surprised, but that may be just > > > because I'm very used to the 'aklog' approach and find it intuitive. You > > > need to tell the kernel what credentials you want it to use for AFS > > > access; makes sense to me. > > > > Usually, aklog is handled transparently here, either via MIT's krb5 > > login (et al) client calling out to aklog or via pam_krb5. > > This isn't "transparent" for the administrator, though. You had to > install an afs-specific pam module, or specify that something runs > aklog; something like that. (And of course, that's only for things that > run through PAM.) > > > > The alternative is to effectively "guess" what credentials we should > > > be using, which is what NFSv4 does (rpc.gssd).[...] > > > > Not impossible for Linux. I believe that the Linux keyring code > > allows for down calls from the kernel to user space in order to ask > > something to insert the appropriate keys (see keys-request-key.txt in > > the Linux kernel). > > We can do a userspace upcall on any platform; that's not the hard part... > > -- > Andrew Deason > [email protected] > > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info -- ******************************** David William Botsch Programmer/Analyst @CNFComputing [email protected] ******************************** _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
