[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

Douglas E. Engert deengert at anl.gov
Tue Mar 28 16:30:53 EST 2006

Henry B. Hotz wrote:

> You know the only thing that would *really* satisfy me is if Kerberos  
> and AFS used the same ticket/token storage mechanism, and that  
> mechanism had all the properties of PAG's (and there were proper  
> tools for dealing with the storage).  None of the three camps have  
> made fundamentally wrong design decisions, but I hate the results.

Sounds like what DCE/DFS did. The Kerberos tickets where stored
in a well known location, with the PAG number as part of the file name.
/opt/dcelocal/var/security/creds/deccred_xxxxxxxx  where xxxxxxxx was
the PAG. Then the kernel could tell dced (something
like afsd) to fetch a ticket from the cache or even get additional tickets
and renew tickets. This also allowed DFS to use a separate principal
for each server. This is kind of what Windows does too with cifs/servername
principals. So it can be done.

Other applications could use the tickets in the cache bu seting the
KRB5CCNAME to point at the deccred_xxxxxxxx. So "Kerberos and DFS used the
same ticket/token storage mechanism."

> I'll shut up now.  I think we've beat this horse to death.

It may not be dead, just turned out to pasture to early.

> ------------------------------------------------------------------------ 
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list