Using the MSLSA krb5_ccache type with a non-Microsoft KDC

[Jeffrey Altman]

Douglas E. Engert wrote:

>Jeffrey Altman wrote:
>  
>
>>MIT kinit could pass use AcquireCredentialHandle but then the resulting
>>credential handle
>> must be used instead of the Session ID when accessing the resulting
>>cache.  That
>>Credential Handle will not be available to other applications.
>>
>>What I do not understand is what you would gain by MIT kinit obtaining
>>an LSA credential.
>>As you said, you currently use either the SSPI or gssapi32.dll.  If you
>>are using the MIT
>>kinit then you have gssapi32.dll and the appropriate credentials.  Or
>>you have the
>>krb5_32.dll depending on which method of obtaining the AFS tokens you
>>wish to use.
>>    
>>
>
>Flexibility. Some users/sites don't want the MIT tools on the machine
>at all. Some user/sites are using machines that are not in the realm
>or domain and use computer which does not need a password to login.
>Yet they need access to network resources like AFS. And then there are 
>many that need what you describe below.
>  
>
But if the reason for adding the new functionality to the MIT Kerberos
code is to provide flexibility for those who do not want to have the
MIT Kerberos code on their machine, I don't see how doing this extra
work benefits anyone.

What I see is that there is a benefit for application writers to do
what you are already doing.  Develop applications which can use both
sets of APIs depending on their situation.  That is a different goal
than what we are trying to achieve.  We are attempting to provide one
API which can be used for both.  Therefore, if you choose to use KfW
on your machine, then you will gain the ability to transparently use
the LSA logon credentials if you have them.

OpenAFS for Windows will almost certainly have a KfW dependency in the
next stable release.  In fact, the installer will install KfW for you
if it is not already installed. 

Jeffrey Altman