[OpenAFS] Is member of a machine group honored as
system:authuser?
Benjamin Kaduk
kaduk@mit.edu
Wed, 24 Jan 2018 22:14:24 -0600
On Wed, Jan 24, 2018 at 07:31:51PM +0000, Ximeng Guan wrote:
[snip]
> Did I miss anything here?
I don't think so. It's probably best to think of system:authuser as
a shorthand for "all entities that can authenticate to the
protection server", users and keytab-based credentials. The
machine/IP prdb entries are in an intermediate space, in which they
can appear on access control lists but nothing can actually
authenticate directly as those pts entries. It seems like a weird
design choice now, but probably made sense a the time.
pts_createuser(1) has some information about the actual
functionality.
Garance's suggestion of (essentially) adding an additional layer of
abstraction seems to be the best practice for this area.
-Ben