[OpenAFS] OpenAFS Protection Server

Derrick Brashear shadow@gmail.com
Tue, 30 Sep 2008 08:42:19 -0400

On Mon, Sep 29, 2008 at 9:31 PM, Loren M. Lang <lorenl@north-winds.org> wrote:
> I am trying to better understand the role of the protection server in
> OpenAFS.  First of all, OpenAFS uses user/group id numbers similar to
> how UNIX does storing them in ACLs, and other file attributes, and using
> the UID for all authorization.  The UIDs and GIDs used by OpenAFS are
> completely independent of the UNIX ones except that they show up in stat
> calls and it is convenient for them to match for that one reason.  It
> sounds like RX might use something like the PAC used by Microsoft with
> the Kerberos user's UID and list of GIDs encrypted in the packet with
> the AFS master key.

Rx is just a transport. Doesn't care a whit, any more than SunRPC
would. The Kernel Token Cache might instead use tokens which are more
like Kerberos with PACs, if someone wanted to do that, and eliminate
the fileserver->ptserver communication in *some* (possibly most
depending how you did it) cases.

>  Part of the reason why aklog or similar transition
> commands are needed.  User and group names are only stored in the
> protection server.  The protection server has two main roles, one is
> mapping Kerberos principals to a UID and one or more GIDs, and the
> second role is managing groups and their list of members.  Is this
> basically correct?