[501] in Moira
KERBEROS members of self administring LISTs
daemon@ATHENA.MIT.EDU (Mark Rosenstein)
Mon Dec 21 13:07:33 1992
Date: Mon, 21 Dec 92 13:07:12 -0500
From: Mark Rosenstein <mar@MIT.EDU>
To: tlyu@MIT.EDU
Cc: bug-moira@Athena.MIT.EDU
In-Reply-To: Tom Yu's message of Sat, 19 Dec 92 16:55:23 -0500 <9212192155.AA22809@hodge>
It would be nice if your bug report said what you thought was wrong,
since all you did was show a couple of operations that worked as I
would expect. My guess as to your confusion is that
KERBEROS:tlyu@ATHENA.MIT.EDU didn't give you the access you expected.
What happened here is that there is an implicit kerberos mapping for
every user from [username]@[default-realm-of-Moira-server] to
USER:[username]. So when you authenticate to Moira with your regular
tickets, for authentication purposes you are now USER:tlyu. It
doesn't remember that you got there as KERBEROS:tlyu@ATHENA.MIT.EDU.
To do this, it would have to maintain a list of authentications for
each session. This means that KERBEROS entries on access control
lists are not useful if they name a regular user already in the Moira
database.
-Mark
