Re: [9fans] Multi-domain authentication?

[erik quanstrom <quanstro@quanstro.net>]

> http://osdir.com/ml/os.plan9.nine-grid/2005-06/msg00001.html is a proposal
> from some years ago from TIP9UG to do multi-domain authentication in a way
> somewhat reminiscent of Kerberos.[1]
>
> The only change to factotum, AFAICT, was the following addition:
>>    if(_strfindattr(s->key->attr, "grid")){
>>      snprint(s->t.suid, sizeof s->t.suid, "%s@%s", s->t.cuid, _strfindattr(s->key->attr, "dom"));
>>      safecpy(s->t.cuid, s->t.suid, sizeof s->t.cuid);
>>      flog("grid user: %s", s->t.suid);
>>    }
> in the SHaveAuth case of p9skread.
>
> This seems like a good way to go about MDA, so I am curious why this change
> didn't get put back into the mainline code?  Is there something
> fundamentally wrong?  Was a different approach selected?  Was the issue
> simply tabled?

could you explain what you mean by multi-domain authentication?

i authenticate from one plan 9 authentication domain to another
every day.  the only thing that needs to be set up is that the hostowner
of the other auth domain's auth server needs to be in your /lib/ndb/auth.
(this is already done if you use bootes.)  and you need a line with
auth and authdom keys added to /lib/ndb/local on the auth client's
machine.

is there something else you are looking for?

> [1] I say similar to Kerberos in that it requires a domain A wishing to
> accept identities from domain B to have a key from B's authsrv.

i don't understand this.  which key are you talking about?

- erik