[OpenAFS-devel] kuserok() checking UID ownership on afs

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 02 Feb 2005 15:47:49 -0500


>> 1. Aquire krbtgt (forwarded or with passwd) to memory
>> 2. Setup AFS stuff (afs service ticket, token, pag) if possible
>> 3. Evaluvate .k5login
>> 4. Decide if user is OK
>> 5. Give ticket to user
>> 6. Login user into pag from above

> Its not the Kerberos code that needs bending its the login applications
> need to get credentials to access the potential home directory
> before trying to access any files in the home directory.

Unfortunately, you're both trying to solve not the problem that Troy and 
Russ were actually discussing.  You're trying to solve the "I can't access 
the user's .k5login" problem, but the problem they were talking about is 
"how can I prove that no one _except_ the user could have written to the 
.k5login?".

-- Jeff