[OpenAFS-devel] More on aklog

Derrick J Brashear shadow@dementia.org
Tue, 12 Oct 2004 01:05:25 -0400 (EDT)

You found me at a particularly vicious moment. There's even a story to go 
with it, but I can't tell it yet.

On Mon, 11 Oct 2004, Ken Hornstein wrote:

>> Jeff Altman explained why in the RT ticket you opened; Basically, "because
>> it can lead to 2 principals being treated as the same one".
> I feel it's only fair to say that I know someone that got screwed,
> hard, because of this code.

We distribute source; Are they not particularly resourceful? Cell and 
realm in control of different entities which can't play nicely? What? 
Really, if you got screwed hard by this, either there are extenuating 
circumstances, or being stuck inside a paper bag seems like it could be 
your match...

> Yeah, it can lead to two principals being treated the same: so what?

the obvious use would seem to be firstname.lastname; i suppose the surname 
admin is uncommon; we have, however, had root as a surname here.

> So far it's only seemed to cause
> people problems,

Because the people who haven't had any problems are busily reporting the 
problems they don't have, I suppose...

> because this _USED_ to work fine with krb524d,
> which people used FOR YEARS without any problems, confusion or
> security incidents.

That you know of.

> The end result is that it's not a seamless
> upgrade from a V4 ticket to a V5 ticket with krb524d, and that
> sucks.

A proposal of anything better than "well, 2 users could potentially be 
treated as one" would be more entertaining at minimum.

Hey, I have a rotten idea, send a patch with aklog and some configure 
gunk, and slip in the reversion of this "change" with it.