[OpenAFS-devel] kuserok() checking UID ownership on afs
Harald Barth
haba@pdc.kth.se
Wed, 02 Feb 2005 17:08:45 +0100 (MET)
> This assumes that there is already an AFS token.
I assumed a forwarded ticket.
> The .k5login (and other dot files) have always been in a chicken and
> egg situation.
Yes. The order is critical and tricky.
I think there should be an order to
1. Aquire krbtgt (forwarded or with passwd) to memory
2. Setup AFS stuff (afs service ticket, token, pag) if possible
3. Evaluvate .k5login
4. Decide if user is OK
5. Give ticket to user
6. Login user into pag from above
This does only work if the user either is at the console with password
or forwards tickets. But if you have AFS on the remote system, you
probably want to forward tickets if your $HOME is in AFS.
I don't know how difficult it is to bend the kerberos code into doing
the above. Probably not my league. You know the kerberos code much
better than I do.
Harald.