[OpenAFS] Is member of a machine group honored as system:authuser?

Benjamin Kaduk kaduk@mit.edu
Wed, 24 Jan 2018 22:14:24 -0600

On Wed, Jan 24, 2018 at 07:31:51PM +0000, Ximeng Guan wrote:

> Did I miss anything here? 

I don't think so.  It's probably best to think of system:authuser as
a shorthand for "all entities that can authenticate to the
protection server", users and keytab-based credentials.  The
machine/IP prdb entries are in an intermediate space, in which they
can appear on access control lists but nothing can actually
authenticate directly as those pts entries.  It seems like a weird
design choice now, but probably made sense a the time.
pts_createuser(1) has some information about the actual

Garance's suggestion of (essentially) adding an additional layer of
abstraction seems to be the best practice for this area.