[OpenAFS] using cross-realm kerberos principal in ACL before
pts id is created (or, creating it as non-admin)?
Derrick J Brashear
shadow@dementia.org
Mon, 15 May 2006 15:43:53 -0400 (EDT)
Doh, misread as "administrator"
Sigh
Derrick
On Mon, 15 May 2006, Jeffrey Hutzelman wrote:
>
>
> On Monday, May 15, 2006 09:52:27 AM -0400 Derrick J Brashear
> <shadow@dementia.org> wrote:
>
>> On Sun, 14 May 2006, Adam Megacz wrote:
>>
>>>
>>> Is it possible for a non-administrator user to add user@otherrealm.edu
>>> to an ACL before user@otherrealm.edu has aklog'ed for the first time?
>>> Currently it doesn't happen automatically (no big deal), but is there
>>> any way to do it without admin intervention?
>>
>> Sure. They can first pts cu user@otherrealm.edu -c myrealm.org first,
>> then add it.
>
> Well, no. The only people who can pts cu user@otherrealm.edu are
> administrators and someone who can become user@otherrealm.edu. It is not
> possible for non-administrators to create arbitrary foreign-realm users.
>
> -- Jeff
>