[OpenAFS] Re: foreign-realm members of system:administrators have weakened
Thu, 26 Jan 2006 21:26:46 -0800
I may be abandoning this because there doesn't seem to be any reliable
way for clients to figure out that the cell is its own realm (without
requiring end-users to manually edit or replace their krb5.conf, which
is way beyond the abilities of many people, sad as that fact may be).
Basically, unless I can get this to a truly zero-configuration
situation for users, my project is not gonna fly. It's just the
realities of how things are.
ted creedon <email@example.com> writes:
> I'd appreciate some documentation when its done.
> Adam Megacz wrote:
>>Ken Hornstein <firstname.lastname@example.org> writes:
>>>When I tracked this one down, I found code to specifically disallow
>>>foreign realm users in the code that handles the Bos UserList; it
>>>would not surprise me to find similar code in the pts server.
>>Is there opposition to removing this code?
>>I'm starting to like the idea of running AFS in its own micro-realm
>>and having all users be cross-realm users. It cuts down a lot on
>>administrative overhead (asking for favors from kdc admins when stuff
>>changes) and keeps the username namespace nice and tidy without
>>unduely favoring one institution or department over another.
>> - a
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380