On Thu, 2014-07-31 at 15:29 -0500, Andrew Deason wrote: > The alternative is to effectively "guess" what credentials we should > be > using, which is what NFSv4 does (rpc.gssd). That is, all you need to > do > to authenticate is to run a plain 'kinit' or equivalent (with no > knowledge of AFS/NFS), and the kernel tries to find the ccache you > used > and turn it into a token itself. This approach has a noticeable number > of cases where it does the wrong thing, and so you hear complaints > about > it from time to time. But when it works correctly, it's invisible, so > I > expect the only time you hear about it (from users) are the > complaints.
I think this also kills off PAGs pretty effectively, unless the equivalent of rpc.gssd has some privileged access to all PAGs and a way to map a given access to its PAG. (Then again, I currently don't use PAGs in my Linux VM, and PAGs don't work at all on OS X; quite possibly for people who would want this mechanism, they also wouldn't care about PAGs.) -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix openafs kerberos infrastructure xmonad http://sinenomine.net
