On 8/4/2014 6:38 AM, chas williams - CONTRACTOR wrote:
On Fri, 1 Aug 2014 17:35:15 -0500
Troy Benjegerdes <[email protected]> wrote:
The problem with AFS seems to be everyone who knows you need to 'kinit ; aklog'
and it's been so long we have all forgotten the experience of what it was like
before we realized this.
It has been a while but I believe I was told that you had to run aklog
because you were "logging into the storage". This made sense at the
time since I couldn't access a remote system without first logging into
it as well. We weren't big users of NFS at the time and this didn't
seem unusual.
User's have to "login" to other "network file systems" like DropBox, Box,
or other Cloud systems. The issue of having to login twice, is a trust issue.
Users live with it every day, on the Web.
They do complain about multiple logins, so systems like Shibboleth, ADFS and
other
SAML based identity management can extend that trust across more systems
and federations like InCommon.
AFS was just way ahead of it time...
12 years ago I wrote gssklog and gssklogd, that could use the
Globus GSI a GSS implementation using PKI. The AFS cell admin would
run the gssklogd and it would send send AFS tokens back to a client
running the gssklog started by a Globus program. This then allowed
non-kerberos 5 sites to use AFS from Globus and Grid Proxy certificates.
CERN was using it up to 2012:
http://itssb.web.cern.ch/service-change/phase-out-gssklog-service/22-02-2012
So single sign-on is possible, but its a matter of trust.
I would hazard that rpc.gssd exists because someone didn't want to
alter the "NFS experience".
And they made the assumption NFS would trust the workstation login,
i.e. both used Kerberos, and a login to the workstion was a network login.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[email protected]>
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
