[OpenAFS] using cross-realm kerberos principal in ACL before
pts id is created (or, creating it as non-admin)?
Mon, 15 May 2006 15:33:39 -0400
On Monday, May 15, 2006 09:52:27 AM -0400 Derrick J Brashear
> On Sun, 14 May 2006, Adam Megacz wrote:
>> Is it possible for a non-administrator user to add email@example.com
>> to an ACL before firstname.lastname@example.org has aklog'ed for the first time?
>> Currently it doesn't happen automatically (no big deal), but is there
>> any way to do it without admin intervention?
> Sure. They can first pts cu email@example.com -c myrealm.org first,
> then add it.
Well, no. The only people who can pts cu firstname.lastname@example.org are
administrators and someone who can become email@example.com. It is not
possible for non-administrators to create arbitrary foreign-realm users.