[OpenAFS] using cross-realm kerberos principal in ACL before
pts id is created (or, creating it as non-admin)?
Derrick J Brashear
Mon, 15 May 2006 15:43:53 -0400 (EDT)
Doh, misread as "administrator"
On Mon, 15 May 2006, Jeffrey Hutzelman wrote:
> On Monday, May 15, 2006 09:52:27 AM -0400 Derrick J Brashear
> <email@example.com> wrote:
>> On Sun, 14 May 2006, Adam Megacz wrote:
>>> Is it possible for a non-administrator user to add firstname.lastname@example.org
>>> to an ACL before email@example.com has aklog'ed for the first time?
>>> Currently it doesn't happen automatically (no big deal), but is there
>>> any way to do it without admin intervention?
>> Sure. They can first pts cu firstname.lastname@example.org -c myrealm.org first,
>> then add it.
> Well, no. The only people who can pts cu email@example.com are
> administrators and someone who can become firstname.lastname@example.org. It is not
> possible for non-administrators to create arbitrary foreign-realm users.
> -- Jeff