Porting Heimdal's libkafs to MIT Kerberos

Ken Hornstein kenh at cmf.nrl.navy.mil
Sat Jan 10 23:39:34 EST 2004

>Why is AFS special besides historical reasons?  Other than historical
>decisions, why should Kerberos implementations contain code to deal
>with AFS rather than AFS implementations contain code to deal with
>Kerberos?  If MIT chooses to integrate this code how will we avoid
>opening the floodgates to vaguely related technologies?

To be fair ... I have never seen a suggestion that the KDC or MIT
core libraries change to support AFS.  The suggestion has always
been to provide an additional AFS support library, and maybe
change some of the utilities.

So, why is AFS special?  It's not really a special Kerberos
application, that's true; it can make use of the regular, unmodified
Kerberos libraries.  The problem is that AFS integration becomes
more seamless if you build it into some of your Kerberos applications,
like kinit and into login.krb5 (or whatever you choose to use at
login time).  Okay, you guys say MIT isn't in the business of
providing Kerberos applications; fine, but you still _do_ provide
them in the short term.  If the MIT Kerberos applications ever split
off into it's own distribution, maybe it would make sense to put
libkafs in there.

>I'm open to arguments about why the Heimdal design decision is
> correct.  I have already considered the historical argument.  

Well, shoot ... I can appreciate a design decision, but I've got
real work to get done as well.  Within the OpenAFS community, the
general discussions I've seen basically boil down to, "Well, if you
use MIT Kerberos, you have to do all this extra stuff if you want
to make it work with OpenAFS, but if you use Heimdal, it all just
works out of the box".  Which one would _you_ choose?  I suspect
that if I was starting Kerberos 5 integration today, I'd probably
pick Heimdal.  Whether or not the MIT Kerberos developers consider
this a problem or not is of course a completely different question.
I just find it unfortunate that in the OpenAFS world, MIT Kerberos
is a distinctly second class citizen.


More information about the krbdev mailing list