> There's an alternative, though. We currently use "foo.admin" rather > than "foo/admin" for AFS usernames. Kerberos assigns no special > meaning to "/" and "." -- it's just a convention that "/" is used for > instances.
There is one problem. Even though theoretically it doesn't give any special meaning to those chars, I think I have found at least one problem with not using /. In kadm5.acl, / does appear to have special meaning, and you can say */admin all But withouth /, with say a dot, that line would be *.admin all and it wouldn't work. Before, when hcoop unix usernames matched krb usernames (USER_admin), I tried putting *_admin * and it was not matching our accounts, since the behavior of * is very limited and not implemented as full globbing. This in itself is not a problem, we could simply add USER.admin for each user, but I think the practice of naming principals user/instance and afs names user.instance has been so rooted in the whole thing, that changing it is only calling for weird errors to surface. Cya, -doc _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
