On Wed, Jan 21, 2009 at 09:52:21AM -0600, Douglas E. Engert wrote: > I wish you would try and make this more generic, and allow multiple > credentials, and not just for delayed execution. There are times when > a user may which to switch to using a different principal to access a > file system for example, or when a user su's to root but keeps access > to the same network file access.
It's one thing to say that a Unix user has multiple network authentication credentials (Kerberos V, PKI, whatever) to be used by the system when talking to various different services, and it's another to say that a Unix user not only has multiple such credentials, but that for any one service they can switch between them. The former can be implemented in Solaris as-is by adding suitable identity selection facilities to SASL/GSS-API/whatever mechanisms. The latter requires something like AFS PAGs or Linux kernel keyrings in order to enable the grouping of processes running as one user that should be asserting one identity to some set of services vs another group of processes running as the same user but asserting a different ID to that same set of services. It is precisely because ID selection is such a difficult UI problem that the latter approach is so alluring. > (We use session based cache names with sshd at least, and AFS for a shared > network file system, that is capable of using the different caches.) Understood. > >Currently, gssd uses the principal to map to the local user. I believe > >that this is still useful and could be used in order to lookup a special > >CCAPI entry and to fall-back to file stores created by initial login. > > You really need to get away form relying on UID for the mapping and > look at PAGs, keyrings, or some other method to use instead of UID to > identify credentials. We agree. However, this case is just not that case; this case is independent of a case that would bring AFS PAG-like functionality to Solaris. Nico --
