[554] in Kerberos
Re: [Ted Anderson: principal name standards] and more
daemon@TELECOM.MIT.EDU (Bill Sommerfeld)
Thu Dec 15 20:08:49 1988
From: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>
To: kfall@OKEEFFE.BERKELEY.EDU, John T Kohl <jtkohl@ATHENA.MIT.EDU>,
In-Reply-To: Bill Sommerfeld's message of Thu, 15 Dec 88 18:28:12 EST,
In my reply I wrote:
.... and then adding that server's KEY to the appropriate
"access control lists").
Of course, I really meant "adding that server's PRINCIPAL NAME" to the
appropriate ACL.
For example, we currently are running backups of files on "paris" to a
disk drive on "odysseus"; the backups are deposited as user "backup".
The script which runs out of cron gets tickets to allow it to run with
the identity of "rcmd.paris", and uses them to talk to "rcmd.odysseus";
it requests to log in as user "backup". "rcmd.paris" is listed in
~backup/.klogin; it is thus allowed to execute the command which drops
off the dump into a spooling area.
- Bill
