[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions
Douglas E. Engert
deengert at anl.gov
Tue Mar 28 16:30:53 EST 2006
Henry B. Hotz wrote:
>
> You know the only thing that would *really* satisfy me is if Kerberos
> and AFS used the same ticket/token storage mechanism, and that
> mechanism had all the properties of PAG's (and there were proper
> tools for dealing with the storage). None of the three camps have
> made fundamentally wrong design decisions, but I hate the results.
>
Sounds like what DCE/DFS did. The Kerberos tickets where stored
in a well known location, with the PAG number as part of the file name.
/opt/dcelocal/var/security/creds/deccred_xxxxxxxx where xxxxxxxx was
the PAG. Then the kernel could tell dced (something
like afsd) to fetch a ticket from the cache or even get additional tickets
and renew tickets. This also allowed DFS to use a separate principal
for each server. This is kind of what Windows does too with cifs/servername
principals. So it can be done.
Other applications could use the tickets in the cache bu seting the
KRB5CCNAME to point at the deccred_xxxxxxxx. So "Kerberos and DFS used the
same ticket/token storage mechanism."
> I'll shut up now. I think we've beat this horse to death.
It may not be dead, just turned out to pasture to early.
>
> ------------------------------------------------------------------------
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list