[OpenAFS] OpenAFS Protection Server

[Loren M. Lang]

--=-cYrdIEVgS0hzHWLTvG1+
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

I am trying to better understand the role of the protection server in
OpenAFS.  First of all, OpenAFS uses user/group id numbers similar to
how UNIX does storing them in ACLs, and other file attributes, and using
the UID for all authorization.  The UIDs and GIDs used by OpenAFS are
completely independent of the UNIX ones except that they show up in stat
calls and it is convenient for them to match for that one reason.  It
sounds like RX might use something like the PAC used by Microsoft with
the Kerberos user's UID and list of GIDs encrypted in the packet with
the AFS master key.  Part of the reason why aklog or similar transition
commands are needed.  User and group names are only stored in the
protection server.  The protection server has two main roles, one is
mapping Kerberos principals to a UID and one or more GIDs, and the
second role is managing groups and their list of members.  Is this
basically correct?
--=20
Loren M. Lang
lorenl@north-winds.org
http://www.north-winds.org/


Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B


--=-cYrdIEVgS0hzHWLTvG1+
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBI4YFv3O67OXZU3lsRAstcAJ9x5UlcY/cjRUjj6OUawPEFuWufagCg2DiT
gr72Ayh2flzVp1Ul1cydgGA=
=Jwvd
-----END PGP SIGNATURE-----

--=-cYrdIEVgS0hzHWLTvG1+--