(Illustration by Gaich Muramatsu)
(Illustration by Gaich Muramatsu)
Hello, I'm considering switching to Coda as an alternative to my current AFS cell, and I have a couple of questions about how Coda interacts with certain services. Specifically, I'd like to know how service daemons authenticate themselves with Coda over time. In AFS, if I want a service to have access to directories (beyond the basic anyuser non-authenticated access), I have to set up a service principal for the service in Kerberos. That pricipal must then be authenticated with a keytab file, followed by a call to aklog, at service start-up. Authentication must also be repeated periodically as the daemon runs, as the Kerberos ticket expires frequently. Finally, AFS has a "process authentication group" (PAG), which is an AFS-specific identification number in the kernel used to associate a tree of processes with an AFS user. The way to issue a new PAG to a daemon process is to execute the process with a specialized shell called pagsh. The "Coda In Action" section of the "Coda Distributed Filesystem" paper located at http://www.coda.cs.cmu.edu/ljpaper/lj.html describes FTP mirror sites and WWW replication servers that surely must have authenticated service daemons, so it seems that this use case was considered in the Coda design. Here are my questions: 1. If I use Coda without Kerberos, how do I continuously authenticate long-running daemons? (I have come to view Kerberos as a problem, so I'd like to live without it if possible.) 2. Where does Coda store user accounts? 3. Does Coda have something like a PAG, and if not, how does a process tree share authentication? 4. Kerberos is intended for single-user workstations, and multiple-user workstations have security problems associated with their ticket stores in /tmp. Does Coda better deal with multiple simultaneous users on a client or does it have these same problems? 5. I've seen statements on the Coda website about server machines that are also clients not being recommended. There are also remarks about this being an old problem that is no longer so significant. What is the current status of this issue? Sorry that these questions are so lengthy, and thank you in advance for any information you can share. -A -- Linux: The ultimate video game.Received on 2010-02-12 16:03:51