authentication vs authorization was Re: [OpenAFS] 1.3.70 and aklog
Christopher D. Clausen
cclausen@acm.org
Tue, 17 Aug 2004 11:11:09 -0500
Douglas E. Engert wrote:
>> I believe it is very important that the authenticated name be
>> preserved for logging and because you never know when some
>> admininstrator might screw up and issue jane.doe@FOO.COM to
>> jane.doe@BAR.COM to different users when both the FOO.COM and
>> BAR.COM realms are trusted by the foobar.com cell.
>>
>
> Actually they may want to do this, to map two differnet principals to
> the same authorization name. ~/.k5login is an example of this.
H:\>cat .k5login
cclausen@ACM.UIUC.EDU
cclausen@AD.UIUC.EDU
cclausen/admin@ACM.UIUC.EDU
I think this is how I got confused about how the cross-realm trust
worked in the first place, as I could logon to my AIX machine using my
AD tickets without any problem.
Thanks for the explainations!
<<CDC
Christopher D. Clausen