On Tue, 22 Jan 2002, Nicolas Williams wrote: > It probably calls krb5_kuserok(), which, if (~/.k5login does not exist > AND username == krb5_aname_to_lname(client_principal)) returns true. > > OTOH, if ~/.k5login exists and the client principal name is not listed > in it, access is denied, even if the client's principal name maps to the > requested username. > > Cheers, > > Nico
ah.. most useful information. and thanks everyone for setting straight re: the idea of ticket ACL's. :) --paulj
