> Bill Doster writes:
>> Paul, I definitely agree that having large groups (1) and groups
>> within groups (2) would make AFS even more powerful and flexible.
> This is the real problem for large sites, that the current pt server
> can't do either. If it did, who'd care about system:authuser?
>> Since we offer services to non-University people, we really try to
>> discourage the use of the system:authuser pt group since it doesn't
>> really mean that the person is a member of the university (and therefore
>> should have access to software licensed only to members of the university).
> Bill, do IP addresses in your pt server come through as system:authuser?
Other than making it possible to add one group to another, I haven't
tried to make any changes to the semantics of protection groups. Our
ptservers are currently running AFS 3.2 (not 3.2a).
> I also agree that system:authuser is not the best thing. But when
> trying to support real users, using real licensed applications, and
> given the deficiencies in the current pt server, what's a site to do?
Agreed. Always a case of making your best effort with the current options.
Given our much more decentralized base of machines (and our familiarity
dealing with source code on the file servers) it was considered worth
adding this change.
> Of course changing the code yourself is one option. Another would be for
> Transarc to implement the changes. I would assume that since this hasn't
> been done, Transarc is either working on it, or has already decided not to
> do it, or is planning to do it in the future. I don't know which, (Joe?)
We're certainly not wild about changing the code either, especially on the
database servers (this is the only change we've made to database servers).
Bill
