> http://osdir.com/ml/os.plan9.nine-grid/2005-06/msg00001.html is a proposal > from some years ago from TIP9UG to do multi-domain authentication in a way > somewhat reminiscent of Kerberos.[1] > > The only change to factotum, AFAICT, was the following addition: >> if(_strfindattr(s->key->attr, "grid")){ >> snprint(s->t.suid, sizeof s->t.suid, "[EMAIL PROTECTED]", s->t.cuid, >> _strfindattr(s->key->attr, "dom")); >> safecpy(s->t.cuid, s->t.suid, sizeof s->t.cuid); >> flog("grid user: %s", s->t.suid); >> } > in the SHaveAuth case of p9skread. > > This seems like a good way to go about MDA, so I am curious why this change > didn't get put back into the mainline code? Is there something > fundamentally wrong? Was a different approach selected? Was the issue > simply tabled?
could you explain what you mean by multi-domain authentication? i authenticate from one plan 9 authentication domain to another every day. the only thing that needs to be set up is that the hostowner of the other auth domain's auth server needs to be in your /lib/ndb/auth. (this is already done if you use bootes.) and you need a line with auth and authdom keys added to /lib/ndb/local on the auth client's machine. is there something else you are looking for? > [1] I say similar to Kerberos in that it requires a domain A wishing to > accept identities from domain B to have a key from B's authsrv. i don't understand this. which key are you talking about? - erik
