[OpenAFS-devel] kuserok() checking UID ownership on afs

Russ Allbery rra@stanford.edu
Fri, 04 Feb 2005 10:41:03 -0800


Troy Benjegerdes <hozer@hozed.org> writes:

> I would be quite happy to get rid of .k5login and get the principal to
> local account mapping functionality from either a local text/db file, or
> LDAP.

This may work for your particular site, but note that .k5login is not a
principal to local account map.  It's an authorization ACL, and some of
our accounts have multiple Kerberos principals authorized to log in to
them.

> On the openafs side of things, I'd like to be able to have AFSid ->
> local UID mapping functions as well, so 'ls -l' in someone else's afs
> cell can return something intelligent, provided the local admin either
> has a mapping daemon running, or has pre-mapped specific remote users.

You can do this, but you have to patch libc to override the stat()
function and the like.  Unix operating systems don't have any other hooks
available to fiddle with the UID.  There isn't any way to do this with PAM
or nsswitch.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>