[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug in kinit and afslog

To: heimdal-discuss@sics.se, "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
Subject: Re: Bug in kinit and afslog
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Wed, 1 Aug 2007 11:22:08 -0700
In-Reply-To: <725E2D4B-61AD-4D38-AB39-CB37637093CC@ece.cmu.edu>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <Pine.LNX.4.64.0708010947040.11782@iris01.slac.stanford.edu> <B5B85735-4643-46EA-A7AC-51208962273C@ece.cmu.edu> <Pine.LNX.4.64.0708011022320.11782@iris01.slac.stanford.edu> <725E2D4B-61AD-4D38-AB39-CB37637093CC@ece.cmu.edu>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

Yeah, at one time I think Heimdal explicitly said "Unix ID" instead  
of "AFS ID".

On Aug 1, 2007, at 10:52 AM, Brandon S. Allbery KF8NH wrote:

>
> On Aug 1, 2007, at 13:24 , Alf Wachsmann wrote:
>
>> On Wed, 1 Aug 2007, Brandon S. Allbery KF8NH wrote:
>>> On Aug 1, 2007, at 12:56 , Alf Wachsmann wrote:
>>>> when I obtain an AFS token from my account (alfw; UID 5828) for  
>>>> an account
>>>> with a different Unix UID (vanilla; UID 1820), the resulting AFS  
>>>> token has
>>>> the wrong UID stored in it (my own instead of vanilla's) even  
>>>> though the credential in that token belongs to the other account.
>>>
>>> This is expected behavior.  OpenAFS's aklog does a round-trip  
>>> with the AFS ptserver to find the correct PTS id; this isn't  
>>> necessary to create a token, and heimdal avoids dependencies on  
>>> AFS libraries (even to the extent of providing its own absolutely  
>>> minimal AFS syscall wrapper), so it cheats and assumes the  
>>> current uid is correct.
>>
>> Maybe it would be better to put the principal name in the token
>> instead of the potentially completely wrong UID?
>
> I have this vague recollection of stuff checking that it starts  
> with "AFS ID ", and I'm not sure there is enough room after that  
> for a principal name (especially with an instance).

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Bug in kinit and afslog
  - From: Alf Wachsmann <alfw@slac.stanford.edu>
- Re: Bug in kinit and afslog
  - From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
- Re: Bug in kinit and afslog
  - From: Alf Wachsmann <alfw@slac.stanford.edu>
- Re: Bug in kinit and afslog
  - From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>

Prev by Date: Re: Bug in kinit and afslog
Next by Date: Re: Problem with OpenSSH
Prev by thread: Re: Bug in kinit and afslog
Next by thread: krb5_config_set
Index(es):
- Date
- Thread