[OpenAFS-devel] Re: Initial implementation of RestrictedQuery, please comment

[Andrew Deason]

On Tue, 18 Mar 2014 16:27:45 +0100
Gergely Risko <gergely@risko.hu> wrote:

>   - authenticated: in userok.c line 391 rxkad_GetServerInfo succeeds, in
>     our current thinking this is authuser+foreign user, right?  Someone
>     who is not related at all to the AFS cell shouldn't be able to get
>     this far,

What you're really checking is just that the connection is
authenticated; rxkad_GetServerInfo will always return success for a
properly authenticated rxkad connection.

With krb5 and rxkad, that only means the client was able to present a
valid AFS service ticket. It also doesn't have to just be
authuser+foreign, since you can check if they are a "non-foreign user"
by checking the realm, which we already have logic for.

However, that doesn't verify that they are a valid AFS user at all; this
is more of a kerberos-level check than an AFS check. The user may
deliberately not have an associated ptdb entry (so they are effectively
unauthenticated for all normal operations), or they may be a foreign
user from a realm that the AFS administrator did not configure "foreign
user" access for.

That is specific level of "access" that I don't think exists anywhere
else in AFS; it doesn't have an equivalent in current normal operation
and may be confusing. The meaning of such an access check could also
change for non-rxkad security classes.

-- 
Andrew Deason
adeason@sinenomine.net