[OpenAFS-devel] cross-realm + UserList?

Neulinger, Nathan nneul@umr.edu
Mon, 7 May 2001 10:19:04 -0500


Yep, I see it... auth/userok.c gets the cell and user from the current
connection, then if tcell != localcell, immediately exits with a 0 return.
There appears to be a define for athena that enables it to check the
krbrealm instead, but that's not what I'm looking for here. (I would think
that would be for if you had a cell name different from your krb realm.)

Looks like it might be straightforward to modify. 

Seems to me that if tcell == localcell, you can call FindUser for 
	"tname" or "tname.inst".

all other cases, in addition to tcell==localcell you can check for
	"tname@localcell", "tname.inst@localcell".

for syntax sake to enable a more krb5-like syntax, probably would be good to
also check for tname/inst@whatever.

Any comments before I implement this?

Seems to me that the athena code could easily be removed at that point
simply by having those servers list "user@cell" and "user@realm" in the
userlist. But that's just an option. 

Does afs_krb_get_lrealm not work everywhere? As an alternative, why not
always allow the athena behavior? Check both cell and realm for all
combinations.

-- Nathan

> -----Original Message-----
> From: Ken Hornstein [mailto:kenh@cmf.nrl.navy.mil]
> Sent: Monday, May 07, 2001 10:02 AM
> To: Neulinger, Nathan
> Cc: 'openafs-devel@openafs.org'
> Subject: Re: [OpenAFS-devel] cross-realm + UserList? 
> 
> 
> >Is there any way to get cross realm princs to work with the 
> UserList? I have
> >it working with system:administrators just fine, does anyone have a
> >patch/etc. to make it work with UserList, or do I need to 
> list the princ in
> >that file in a different format?
> 
> There's an explicit test in there to make sure it's in the same realm.
> I fixed it once, but I don't have easy access to the patch 
> (but I think
> once you start looking for it, it's not hard to find).
> 
> --Ken
>