Integration of k5start/krenew functionality

Russ Allbery rra at
Sat Aug 1 14:46:47 EDT 2009

Ken Raeburn <raeburn at MIT.EDU> writes:

> I'm also of two minds as to how much Kerberos programs should be going
> out of their way to do AFS things, rather than providing hooks and
> letting someone choose to run AFS programs.  We don't do anything
> special for NFS or Zephyr or other Kerberos-using technologies.  (I
> wonder if we should look at some of the event signaling systems present
> on many systems these days, as a way to advertise "TGT in ccache foo
> updated" to any interested process, so it can get new AFS tokens or
> update Zephyr session key data etc.  There are already some notification
> hooks in some of the ccache code.  Just a thought...)

I suspect most people here know this, but to be sure, there's no way that
one can do what k5start and krenew do without adding the AFS support
directly into the program or at least in something else run in the same
process.  A subprocess can't put the command in a separate PAG and obtain
tokens within that PAG.  Without having the AFS support directly in the
k5start/krenew program, you have to do workarounds that are difficult to
explain to the average end-user, such as invoking a separate wrapper
script that uses pagsh and runs aklog separately.  Simplifying that is a
design requirement for us, since we have people use krenew who have no
prior experience with Kerberos or AFS.

> As for these specific programs -- I think there's a lot of duplicated
> functionality between kinit and k5start, so having one program with a
> few more options may be better...

Certainly that's happened in the past -- k4start started as a fix for
Kerberos v4 kinit, which had fairly broken and insufficient command line
options, and most of the same problems were fixed in kinit for Kerberos

Russ Allbery (rra at             <>

More information about the krbdev mailing list