[6112] in Kerberos
Re: AFS and Common Desk Top
daemon@ATHENA.MIT.EDU (Trey Harris)
Thu Nov 2 14:35:13 1995
Date: Thu, 2 Nov 1995 14:19:24 -0500 (EST)
From: Trey Harris <harris@email.unc.edu>
To: Derek Atkins <warlord@MIT.EDU>
Cc: Doug Engert <DEEngert@anl.gov>, kerberos@MIT.EDU, INFO-AFS@transarc.com,
INFO-DFS@transarc.com
In-Reply-To: <199511021857.NAA05320@toxicwaste.media.mit.edu>
On Thu, 2 Nov 1995, Derek Atkins wrote:
> How many groups are you in? On most platforms, the PAG is stored as
> special entries in the first two groups. However if you have too many
> groups, you will not be able to get a PAG, so AFS will default to
> using the UID.
>
> It is quite possible that what is happening is that you have too many
> groups so a new PAG cannot be created. In that case, AFS is getting
> you a token under your UID. That means that any process with your uid
> will have access to your tokens, which explains why all of your
> session gets your tokens.
>
> This would also explain why your tokens remained across multiple
> sessions.
What you describe cannot be happening, because the first time I log in, I
possess no tokens at all, neither UID- or PAG-based. I think I explained
in my initial post that, if I do not run klog with the -setpag flag, then
indeed I get a UID-based token; I know this because if I use network
services that switch to that UID but do not authenticate to AFS, they
have AFS access as me anyway.
If I run klog with the -setpag flag, then I am guaranteed to get a PAG, so
again what you describe cannot be happening, unless Transarc has
improperly implemented the -setpag switch in klog so that rather than
giving you a PAG it does nothing. I'll admit that the behavior I'm seeing
does seem to indicate that -setpag is doing nothing. But I'll need to
verify that with the network service test before I say that klog -setpag
is giving me a UID-based switch.
Quite aside from what you suggest, I'm only in two normal groups, and as
I said before, regular terminal-based login works fine, PAG, tokens and all.
I realize that having too many groups is a classic FAQ answer for a
number of ills, but it just doesn't apply here.
Trey Harris http://sunsite.unc.edu/harris/
System Administrator, Project Isis, Office of Information Technology
The University of North Carolina at Chapel Hill
