[OpenAFS] OpenAFS Protection Server

Loren M. Lang lorenl@north-winds.org
Mon, 29 Sep 2008 18:31:27 -0700

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

I am trying to better understand the role of the protection server in
OpenAFS.  First of all, OpenAFS uses user/group id numbers similar to
how UNIX does storing them in ACLs, and other file attributes, and using
the UID for all authorization.  The UIDs and GIDs used by OpenAFS are
completely independent of the UNIX ones except that they show up in stat
calls and it is convenient for them to match for that one reason.  It
sounds like RX might use something like the PAC used by Microsoft with
the Kerberos user's UID and list of GIDs encrypted in the packet with
the AFS master key.  Part of the reason why aklog or similar transition
commands are needed.  User and group names are only stored in the
protection server.  The protection server has two main roles, one is
mapping Kerberos principals to a UID and one or more GIDs, and the
second role is managing groups and their list of members.  Is this
basically correct?
Loren M. Lang

Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.4.6 (GNU/Linux)