[OpenAFS] Re: PTS entry max length

Andrew Deason adeason@sinenomine.net
Tue, 7 Feb 2012 11:38:40 -0600


On Tue, 7 Feb 2012 09:09:09 -0500 (EST)
Eric Sturdivant <sturdiva@umd.edu> wrote:

> I am getting errors trying to create PTS users with a name > 50
> characters, is this the limit? (PR_MAXNAMELEN seems to be 64)

In all 1.4 releases of OpenAFS and earlier, the ptserver not only checks
if the given username is short enough, but also if "username@cell" is
short enough. Presumably your cell name (or associated realm name? I
forget) is in the vicinity of 14 characters long.

This check is done because if you want to be able to authenticate to
foreign realms as a foreign user, you (or some tool like aklog) must
create a username <user>@<local.cell> in the foreign cell ptdb. So, the
username needs to be short enough such that such a user can be created
in the future.

It was discussed some time in 2010 that this check is unnecessarily
restrictive, and was removed (there was some discussion on the mailing
list or maybe jabber... I can't find it now). In 1.6 releases of OpenAFS
and beyond, as well as any future non-security 1.4 releases if they ever
get done, the ptserver will not take the local cell name into account
when doing that length check.

In the meantime, if you need to create users with names that long...
there might be a way to fiddle with the cell name to force it or
something. Or you can apply this patch:
<http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=f42d59338d6f9df04c48e4b4fa08456b38ca4e4d>

-- 
Andrew Deason
adeason@sinenomine.net