[OpenAFS] Re: pts create cross realm users

Andrew Deason adeason@sinenomine.net
Fri, 30 Jul 2010 10:42:56 -0500

On Fri, 30 Jul 2010 11:15:46 -0400
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:

> (2) In modern usage of AFS, the foreign cell name is actually a
> non-local realm name which does not need to match the cell name.

It looks like this is what it's actually trying to do. I don't think
it's actually doing this, but maybe I'm wrong...

The length CorrectUserName uses is pr_realmNameLen, but this is
calculated from

afsconf_GetExtendedCellInfo(prdir, NULL, "afsprot", &info, &clones);
pr_realmName = info.name;
pr_realmNameLen = strlen(pr_realmName);

Which... seems to be the cell name, not realm. I'm assuming this
originates from the time when cell == realm. For modern stuff we need to
iterate through afs_krb_get_lrealm and use the longest one, right?

And "argh": what if the administrator configures another realm to be
'local' and it has a longer name? I presume there's nothing we can do
about that... except perhaps documenting it?

Andrew Deason