[OpenAFS] using cross-realm kerberos principal in ACL before pts id is created (or, creating it as non-admin)?

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 15 May 2006 15:33:39 -0400

On Monday, May 15, 2006 09:52:27 AM -0400 Derrick J Brashear 
<shadow@dementia.org> wrote:

> On Sun, 14 May 2006, Adam Megacz wrote:
>> Is it possible for a non-administrator user to add user@otherrealm.edu
>> to an ACL before user@otherrealm.edu has aklog'ed for the first time?
>> Currently it doesn't happen automatically (no big deal), but is there
>> any way to do it without admin intervention?
> Sure. They can first pts cu user@otherrealm.edu -c myrealm.org first,
> then add it.

Well, no.  The only people who can pts cu user@otherrealm.edu are 
administrators and someone who can become user@otherrealm.edu.  It is not 
possible for non-administrators to create arbitrary foreign-realm users.

-- Jeff