[OpenAFS-devel] W2000 Token authentication problems
Derek Atkins
warlord@MIT.EDU
06 Jun 2001 23:44:34 -0400
"James Peterson" <jimpeter@us.ibm.com> writes:
> The patch we have decided to try is to create a global user list (instead
> of a user list per LSN, logical Session Number) . This would make the
> assignment of tokens by userName/machineName rather than by LSN. If this
> patch works then we can add security by doing a one way hash of the
> userName/machineName.
Does this imply that I, as a user, cannot have multiple sets of
tokens? For example, I might want to create a special PAG (using the
Unix terms, a Process Authentication Group) so that I can have some
processes with sys:admin privs and other processes with me-as-a-user
privs. Or, I may want to use the same principal identity (kerberos
tickets) to authenticate to multiple AFS cells, but I want to keep
said authentication segregated.
I can certainly do either of these with the Unix client. It would be
nice if something similar could happen with the Windows client. I
don't think that 'username' is a fine-grained-enough control.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available