Hi there! Alexis wrote about the $USER: > They want to be prompted for tickets when they need new ones (or have > them automatically acquired in the pkinit case).
Just my 0.50SEK: In that case the apps accessing the file system must get a lot smarter. I don't even know if they could do the job without a crystal ball. Take the Finder. Say my box is in the pdc.kth.se cell per default autenticated in the NADA.KTH.SE realm. Now I go down into /afs/stacken.kth.se/home/haba and open something. One of the questions is if it should be opened for reading or writing? The ACLs of what I'm opening indicate that [EMAIL PROTECTED] has full access but there is also a group containing [EMAIL PROTECTED] and [EMAIL PROTECTED] which has r/w access but not administer. So should Finder try to obtain a cross realm or prompt me for a new password [EMAIL PROTECTED] Or [EMAIL PROTECTED] And can the finder detect which tokens actually work in the end because cross realm with NADA.KTH.SE is broken and with KTH.SE works this week? If all fails, will I be prompted for haba/[EMAIL PROTECTED] which is in system:administrators? I don't say it is impossible. But for an application that is still dumber than mv (it does not detect cross volume rename() and does the right thing) it seems to be an overwhelming task to even be able to ask the user the right questions. And I'm feeling that I have just scratched the surface. So there will be the need for some graphical thingie that displays AFSs view of what credentials are valid and then a way to tie them to apps or the other way around. Today I do that with some scripts and pagsh and so on but that is so 90s ;-) Harald. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
