[OpenAFS] cross-realm AFS IDs

lamont@scriptkiddie.org lamont@scriptkiddie.org
Sun, 20 Nov 2005 18:45:43 -0800 (PST)

It looks like cross-realm AFS IDs are required to have the group ID of the 
cross-realm group (system:authuser@realm) in the lower 16-bits of the ID:

user id & 0x0000ffff = group id

Does this imply that you only get 16-bits of local IDs and 16-bits for 
each cross-realm realm?

What would break if you assigned arbitrary AFS IDs to cross-realm users, 
particularly in the <= 0x0000ffff ID space?  What expects to be able to 
take a user id and strip out the group id from it?

I've got cross-realm users which are in an AD REALM that I want to use 
while keeping my cell principal in an MIT KDC.  Those cross-realm users 
are already in my /etc/passwd file with a globally unique uid that it 
would simply my life greatly if I could use for an AFS ID.  Also, all the 
foreign cells that I'll access will have exactly the same mapping of IDs 
to the AD realm.

Is there any way around this, or am I stuck with only 16-bits of 
0xnnnnff2e IDs and the need to use some kind of nss_afs to resolve those 
names with getpwuid()?