Thomas J. Orban writes...
> Am I missing something here? Why couldn't you use this as a passwd
> entry:
> jpublic:AFS:1000:10:John Q. Public III:/u/jpublic:/bin/tcsh
> If the system uses the transarc login/rlogind, then authentication comes
> exclusively from the AFS passwd, and users change their passwd
> exclusively with kpasswd. Obviously a few programs (xlock and pcnfs
> come to mind) need to be modified, but is there something inherently
> wrong with this approach?
I agree that a single place for passwords is a cleaner solution. If
memory serves me well there were two reasons why we needed to maintain
the password in two places:
1. We already had a large user population when we introduced AFS/Kerberos
and at the same time, there was a simultaneous effort to clean up the
name space. A decision was made not to automatically give existing
user's an AFS id until they requested one. (This way we would figure
out which user id's were dead.) Since the AFS login program checks
both Kerberos and /etc/passwd, we needed the password in both places.
2. There were some folks who were worried about not being able to
login if the AFS servers became unavailable. In particular, suppose
the user needed to run some network configuration command. We don't
give out the root password; instead we use sudo, which requires that
the user login as him/herself and then become root.
----------------------------------------------------------
Michael S. Fagan | IBM Research
[EMAIL PROTECTED] | http://www.watson.ibm.com/~mfagan
----------------------------------------------------------
P.S. How did I do Mike D.? :)
