kuserok() checking UID ownership on afs
Troy Benjegerdes
hozer at hozed.org
Tue Feb 1 19:25:11 EST 2005
kuserok() does not work when .k5login is on an afs volume where the
local unix UID does not match the AFS ID.
I've also gotten burned by the same type of paranoid UID and permissions
checks in the courier mail server.
This breaks cross-realm situations where you might want to allow people
from multiple realms onto a system, and have local unix UID's not equal
to the AFS ID.
Is there a good solution to this? UID mapping seems a possible solution,
and has apparently been used for GPFS.
http://www-1.ibm.com/servers/eserver/clusters/whitepapers/uid_gpfs.html
Is this supported anywhere? I could have sworn some versions of DEC
Athena did AFS UID mapping on-the-fly when a user logged in.
--
--------------------------------------------------------------------------
Troy Benjegerdes 'da hozer' hozer at hozed.org
Somone asked my why I work on this free (http://www.fsf.org/philosophy/)
software stuff and not get a real job. Charles Shultz had the best answer:
"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz
More information about the krbdev
mailing list