On Mon, Sep 29, 2008 at 9:31 PM, Loren M. Lang <[EMAIL PROTECTED]> wrote: > I am trying to better understand the role of the protection server in > OpenAFS. First of all, OpenAFS uses user/group id numbers similar to > how UNIX does storing them in ACLs, and other file attributes, and using > the UID for all authorization. The UIDs and GIDs used by OpenAFS are > completely independent of the UNIX ones except that they show up in stat > calls and it is convenient for them to match for that one reason. It > sounds like RX might use something like the PAC used by Microsoft with > the Kerberos user's UID and list of GIDs encrypted in the packet with > the AFS master key.
Rx is just a transport. Doesn't care a whit, any more than SunRPC would. The Kernel Token Cache might instead use tokens which are more like Kerberos with PACs, if someone wanted to do that, and eliminate the fileserver->ptserver communication in *some* (possibly most depending how you did it) cases. > Part of the reason why aklog or similar transition > commands are needed. User and group names are only stored in the > protection server. The protection server has two main roles, one is > mapping Kerberos principals to a UID and one or more GIDs, and the > second role is managing groups and their list of members. Is this > basically correct? Yes. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
