[OpenAFS] elegant solution for user change?

Christof Hanke hanke@rzg.mpg.de
Fri, 03 Aug 2007 13:04:04 +0300

Jochen Th=E4der wrote:
>> export KRB5CCNAME=3D"/tmp/blah"
>> kinit -t=3D<operatorkeytab> <principal>
> but unfortunatelly the user now lost his access rights in his other=20
> shells :-(
> which he should keep
Yes, I just confirmed that with 0.7.1.
The token gets changed by kinit -t ..., which is surprising since=20
there's an explicit option --afslog.
the solution is to use

kinit --no-afslog -t=3D...

> Sorry maybe I was a little unclear: I want both, unix and afs user=20
> changed from worker to operator.... I'm really a little bit puzzled.
For changing the unix-UID, you need sth. like ssh or su.
So maybe your ssh-solution is best at the minute to change the unix-uid.
One option would be to allow a local "sudo" to change the unix-uid,=20
which would reduce the ssh-overhead (but implies local changes on the=20
It should be possible to do all this using kerberos-tools only, but you=20
might need to write your own version of "su", which would be the best=20
way, I think.