[70] in Moira
afs 3.0B and groups
daemon@ATHENA.MIT.EDU (qjb@ATHENA.MIT.EDU)
Sun Apr 1 15:25:31 1990
From: qjb@ATHENA.MIT.EDU
Date: Sun, 1 Apr 90 15:22:41 -0400
To: moiradev@ATHENA.MIT.EDU, afsdev@ATHENA.MIT.EDU
Since AFS 3.0B supports kerberos principals in the local realm
with instances on access control lists and on
system:administrators, we should probably consider making moira
do the Right Thing with them when they are added to groups.
I'd suggest the following: If something of type
KERBEROS name.inst@local-realm-of-SMS.MIT.EDU
is added to a group, and if <name> corresponds to a user known
by moira, then
pts createuser the user with id <id of name> + 65536
Add that entity to the group.
For example, I would want qjb.root to be on
system:administrators instead of qjb so I would want to do the
following:
blanche administrators -a KERBEROS:qjb.root@ATHENA.MIT.EDU
and have the following be executed on moira:
pts creatuser qjb.root 67837 -cell athena.mit.edu
pts add qjb.root system:administrators -cell athena.mit.edu
==========
The reason for the + 65536 is that, although AFS id's are 32
bit, unix uid's are 16 bit. Adding 65536 means that if qjb.root
creates a file in the cell, it will be owned, as far as stat is
concerned, by qjb. Of course, AFS will distinguish between qjb
and qjb.root, so this is mainly a convenience thing so that ls
-H and ls with passwd file do as close to the right thing as
possible.
Comments?
