On Wed, Jan 24, 2018 at 07:31:51PM +0000, Ximeng Guan wrote: [snip] > Did I miss anything here?
I don't think so. It's probably best to think of system:authuser as a shorthand for "all entities that can authenticate to the protection server", users and keytab-based credentials. The machine/IP prdb entries are in an intermediate space, in which they can appear on access control lists but nothing can actually authenticate directly as those pts entries. It seems like a weird design choice now, but probably made sense a the time. pts_createuser(1) has some information about the actual functionality. Garance's suggestion of (essentially) adding an additional layer of abstraction seems to be the best practice for this area. -Ben _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
