I am trying to better understand the role of the protection server in OpenAFS. First of all, OpenAFS uses user/group id numbers similar to how UNIX does storing them in ACLs, and other file attributes, and using the UID for all authorization. The UIDs and GIDs used by OpenAFS are completely independent of the UNIX ones except that they show up in stat calls and it is convenient for them to match for that one reason. It sounds like RX might use something like the PAC used by Microsoft with the Kerberos user's UID and list of GIDs encrypted in the packet with the AFS master key. Part of the reason why aklog or similar transition commands are needed. User and group names are only stored in the protection server. The protection server has two main roles, one is mapping Kerberos principals to a UID and one or more GIDs, and the second role is managing groups and their list of members. Is this basically correct? -- Loren M. Lang [EMAIL PROTECTED] http://www.north-winds.org/
Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B
signature.asc
Description: This is a digitally signed message part
