[OpenAFS] Re: foreign-realm members of system:administrators
have weakened powers?
Douglas E. Engert
deengert@anl.gov
Fri, 27 Jan 2006 11:08:00 -0600
As a side note to the Kerberos developers, is it time to add referral suppport
to both the client and KDC? I believe that would go a long way solving the
update of the krb5.conf problem.
Adam Megacz wrote:
> I may be abandoning this because there doesn't seem to be any reliable
> way for clients to figure out that the cell is its own realm (without
> requiring end-users to manually edit or replace their krb5.conf, which
> is way beyond the abilities of many people, sad as that fact may be).
>
> Basically, unless I can get this to a truly zero-configuration
> situation for users, my project is not gonna fly. It's just the
> realities of how things are.
>
> - a
>
>
> ted creedon <tcreedon@easystreet.com> writes:
>
>>I'd appreciate some documentation when its done.
>>
>>Thanks.
>>
>>tedc
>>
>>Adam Megacz wrote:
>>
>>>Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>>>
>>>
>>>>When I tracked this one down, I found code to specifically disallow
>>>>foreign realm users in the code that handles the Bos UserList; it
>>>>would not surprise me to find similar code in the pts server.
>>>>
>>>
>>>Is there opposition to removing this code?
>>>
>>>I'm starting to like the idea of running AFS in its own micro-realm
>>>and having all users be cross-realm users. It cuts down a lot on
>>>administrative overhead (asking for favors from kdc admins when stuff
>>>changes) and keeps the username namespace nice and tidy without
>>>unduely favoring one institution or department over another.
>>>
>>> - a
>>>
>>>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444