An Invitation.
Henry B. Hotz
hotz at jpl.nasa.gov
Fri Feb 24 00:33:49 CET 2006
From JPL's internal AFS list. Consider yourselves invited to
provide something to OpenAFS. ;-)
Begin forwarded message:
> From: Jeffrey Altman <jaltman at secure-endpoints.com>
> Date: February 23, 2006 1:21:47 PM PST
> To: "Henry B. Hotz" <hotz at jpl.nasa.gov>
> Cc: Will Sun <wsun at jpl.nasa.gov>, FIL <jplis-
> fil at list.jpl.nasa.gov>, Alan Stepakoff <Alan.B.Stepakoff at jpl.nasa.gov>
> Subject: Re: [afs] Mac AFS Client Finder Issue (Was: [JPL Remedy
> Call 0000310886] Assigned to Generic, AFS Queue by gnguyen)
>
> Hank:
>
> Perhaps you could request that one of the plug-in authors submit a
> contribution to OpenAFS.
>
> Jeffrey Altman
>
>
> Henry B. Hotz wrote:
>> <<If having a GUI is your only criteria, than Arla has a pretty
>> nice AFS
>> config GUI on the Mac. I don't like their afslog GUI though.>>
>>
>> Getting back to the main point:
>>
>> The correct way to do this on a Mac is with a kerberos plug-in. That
>> plug-in should essentially do an "aklog" and gets called whenever a
>> kinit-like operation is done. Given a plug-in, the native
>> Kerberos GUI
>> program in /System/Library/CoreServices/Kerberos.app is
>> sufficient. AND
>> it becomes possible to have AFS tokens automatically acquired during
>> login. (Points to Alexandra, and I wish Apple hadn't broken part of
>> this functionality in 10.4.)
>>
>> However OpenAFS only provides an aklog program, they do not
>> provide any
>> functionality comparable to MIT's krbafs lib (obsolete now IMO), nor
>> Heimdal's kafs lib. In order to integrate with PAM on Solaris and
>> Linux, and in order to facilitate building a Mac Kerberos plug-in
>> OpenAFS needs to turn the aklog program into a library (and a small
>> wrapper to provide the current aklog program). I would strongly
>> recommend that the API for the library conform to a subset of Heimdal
>> kafs, specifically k_hasafs() and krb5_afslog(). It's also highly
>> desirable that it obey the [appdefaults] afs-use-524 config option.
>>
>> I have built and used both the Stanford/UMICH plug-in and the KTH
>> plugin. When they are installed I have almost never used a
>> command-line
>> aklog/afslog program. The KTH one is better IMO because it does
>> everything but the last stage with Kerberos 5 instead of Kerberos
>> 4 (and
>> even that could be eliminated once we get the DB servers on OpenAFS).
>> It's much less popular in the US though.
>>
>> The major problem with both of these plug-ins is that they are
>> "third-party". They are not maintained or integrated by OpenAFS,
>> or by
>> Apple, or by the MIT Kerberos team. It's yet another piece that we
>> would have to maintain independently.
>>
>> On Feb 23, 2006, at 7:40 AM, Jeffrey Altman wrote:
>>
>>> As far as providing GUI tools for obtaining tokens as is done on
>>> Windows. I am not a Macintosh programmer so I am not familiar
>>> with the
>>> Human Interface Guidelines that Apple provides and what
>>> functionality
>>> can be added to the the file system device icon that is displayed
>>> on the
>>> desktop. If there is functionality that you would like to see in
>>> OpenAFS on Macintosh, you should file a feature request at
>>> openafs-bugs at openafs.org. Note that at the current time there
>>> are no
>>> Macintosh GUI programmers either volunteering to work on OpenAFS or
>>> being paid to work on OpenAFS. At the present time all of the
>>> resources
>>> we have are being focused on the AFS client itself because we
>>> still have
>>> not shaken all of the bugs out.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Arla-drinkers
mailing list