Loren M. Lang wrote: > I am trying to better understand the role of the protection server in > OpenAFS. First of all, OpenAFS uses user/group id numbers similar to > how UNIX does storing them in ACLs, and other file attributes, and using > the UID for all authorization. The UIDs and GIDs used by OpenAFS are > completely independent of the UNIX ones except that they show up in stat > calls and it is convenient for them to match for that one reason. It > sounds like RX might use something like the PAC used by Microsoft with > the Kerberos user's UID and list of GIDs encrypted in the packet with > the AFS master key. Part of the reason why aklog or similar transition > commands are needed. User and group names are only stored in the > protection server. The protection server has two main roles, one is > mapping Kerberos principals to a UID and one or more GIDs, and the > second role is managing groups and their list of members. Is this > basically correct?
Close but not quite correct. The protection service is a distributed database that contains records for: * user and group name to AFSID mappings * group membership info * various flags on the objects controlling their interpretation The AFS token does not contain any authorization data similar to the Microsoft PAC. It only contains authentication information necessary to communicate the identity of the peer in the the form of a Kerberos Principal Name. When authenticating each incoming connection, each server obtains the name of the client and contacts Protection Service to lookup the AFSID associated with the identity and group memberships. aklog is required to obtain an authentication token and associate the token with a particular cell that you are communicating with. For each cell you access you can associate a token obtained using a different network identity. Each object in the file system has an owner, a group, and an access control list. These objects use AFSIDs and are therefore visible to the user. To reduce end user confusion it is convenient for these IDs to be the same as the ones used for the local machine accounts. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
