I hate following up to my own post but I don't think I stated my
objection clearly enough.
I will object to the implementation and deployment of any afs
credential retrieval service which implements a username mapping
that results in a situation in which the initial authentication
name has a one to many authorization relationship dependent upon
how the authentication name was presented to AFS.
The amount of my time that has been wasted working with end users
who download KFW or OpenAFS for Windows, who report that OpenAFS
does not work after they successfully obtain a token only to find
out that the problem was caused because of some behind the scenes
mapping used by their cell, is simply too high.
Any mapping of a user name must be performed in such a way that
when a user believes she has received a token using authentication
name "foo" that there is one and only one by which an authorization
decision will be made on that name.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
