[OpenAFS-devel] kuserok() checking UID ownership on afs

Troy Benjegerdes hozer@hozed.org
Tue, 1 Feb 2005 18:25:11 -0600


kuserok() does not work when .k5login is on an afs volume where the
local unix UID does not match the AFS ID.

I've also gotten burned by the same type of paranoid UID and permissions
checks in the courier mail server.

This breaks cross-realm situations where you might want to allow people
from multiple realms onto a system, and have local unix UID's not equal
to the AFS ID.

Is there a good solution to this? UID mapping seems a possible solution,
and has apparently been used for GPFS. 
http://www-1.ibm.com/servers/eserver/clusters/whitepapers/uid_gpfs.html

Is this supported anywhere? I could have sworn some versions of DEC
Athena did AFS UID mapping on-the-fly when a user logged in.

-- 
--------------------------------------------------------------------------
Troy Benjegerdes                'da hozer'                hozer@hozed.org  

Somone asked my why I work on this free (http://www.fsf.org/philosophy/)
software stuff and not get a real job. Charles Shultz had the best answer:

"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz