[OpenAFS] Re: foreign-realm members of system:administrators have weakened
powers?
Adam Megacz
megacz@cs.berkeley.edu
Thu, 26 Jan 2006 21:26:46 -0800
I may be abandoning this because there doesn't seem to be any reliable
way for clients to figure out that the cell is its own realm (without
requiring end-users to manually edit or replace their krb5.conf, which
is way beyond the abilities of many people, sad as that fact may be).
Basically, unless I can get this to a truly zero-configuration
situation for users, my project is not gonna fly. It's just the
realities of how things are.
- a
ted creedon <tcreedon@easystreet.com> writes:
> I'd appreciate some documentation when its done.
>
> Thanks.
>
> tedc
>
> Adam Megacz wrote:
>>Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>>
>>>When I tracked this one down, I found code to specifically disallow
>>>foreign realm users in the code that handles the Bos UserList; it
>>>would not surprise me to find similar code in the pts server.
>>>
>>
>>Is there opposition to removing this code?
>>
>>I'm starting to like the idea of running AFS in its own micro-realm
>>and having all users be cross-realm users. It cuts down a lot on
>>administrative overhead (asking for favors from kdc admins when stuff
>>changes) and keeps the username namespace nice and tidy without
>>unduely favoring one institution or department over another.
>>
>> - a
>>
>>
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380