[OpenAFS] foreign-realm members of system:administrators have weakened powers?

Ken Hornstein kenh@cmf.nrl.navy.mil
Wed, 25 Jan 2006 12:14:13 -0500


>  $ pts creategroup project.sbp system:administrators -cell research.cs.berkeley.ed
>u
>  pts: Permission denied ; unable to create group project.sbp with id 0 owned by 's
>ystem:administrators'
>
>Are there some powers that are withheld from administrators using a
>cross-realm pts id?  The command succeeds when authenticated as
>afsadmin.

I didn't know about this one (and in fact, I thought when we had it set
up a cross-realm user on system:administrators worked for everything I
had tried, but that was a while ago and maybe my memory is faulty), but
one that I specifically remember is that you can't have a cross-realm
user on the Bos UserList.  Well, you can _put_ one on there, but it
won't work for anything.  When I tracked this one down, I found code to
specifically disallow foreign realm users in the code that handles the
Bos UserList; it would not surprise me to find similar code in the pts
server.

--Ken