[OpenAFS] using cross-realm kerberos principal in ACL before
pts id is created (or, creating it as non-admin)?
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 15 May 2006 15:33:39 -0400
On Monday, May 15, 2006 09:52:27 AM -0400 Derrick J Brashear
<shadow@dementia.org> wrote:
> On Sun, 14 May 2006, Adam Megacz wrote:
>
>>
>> Is it possible for a non-administrator user to add user@otherrealm.edu
>> to an ACL before user@otherrealm.edu has aklog'ed for the first time?
>> Currently it doesn't happen automatically (no big deal), but is there
>> any way to do it without admin intervention?
>
> Sure. They can first pts cu user@otherrealm.edu -c myrealm.org first,
> then add it.
Well, no. The only people who can pts cu user@otherrealm.edu are
administrators and someone who can become user@otherrealm.edu. It is not
possible for non-administrators to create arbitrary foreign-realm users.
-- Jeff