[251] in Zephyr Mailing List
Re: Interrealm support issues
daemon@ATHENA.MIT.EDU (John Gardiner Myers)
Fri Jan 3 18:13:36 1997
Date: Fri, 3 Jan 1997 18:09:41 -0500 (EST)
From: John Gardiner Myers <jgm@CMU.EDU>
To: zephyr@MIT.EDU
In-Reply-To: <t53g20io5le.fsf@rover.cygnus.com>
Marc Horowitz <marc@cygnus.com> writes:
> Third, currently, zephyr realms do not have names. A zephyr recipient
> is a fully qualified kerberos name, and nothing more, and this is the
> way the implementation behaves (I'm ignoring the issues of
> non-kerberized zephyr for now). If a non-canonical name is provided
> ("zwrite marc"), then the local kerberos realm is appended.
This is not how CMU zephyr servers work. Zephyr realms do have names,
a zephyr recipient is of the form user.instance@zephyrrealm.
Currently, the CMU servers only give authorization to use a given
zephyr identity to the kerberos identity of the same name. (The
kerberos identity of the zephyr service in a connected realm has
authorization to use any identity in that remote realm) Someone
contacting the andrew.cmu.edu with an athena.mit.edu authentication
does not have authorization to use any identity, and is thus denied
service.
--
_.John Gardiner Myers Internet: jgm+@CMU.EDU
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
