Hi Don,

On Mon, Mar 08, 2010 at 01:54:53AM -0800, Don disguising himself
 (or running) as root wrote:
> >>>What does your /vice/auth2/AuthLog say at the time of clog? 
> >>
> >>18:13:01        vid = 83886
> >>18:13:01 AuthNewConn(0x7da9cdba, 0, 66, 2, 83886)
> >>22:11:47        vid = 484
> >>22:11:47 AuthNewConn(0x72199dd5, 0, 66, 2, 484)  
> >>
> >>Where is coda getting this ID?  Clearly it believes there is a 484, but 
> >>executing:  pdbtool export /tmp/file1 /tmp/file2; grep 484 /tmp/file?
> >>results in null output. 
> >
> >It is Kerberos who produces the account name from the ticket the auth
> >daemon acquires with the help of the data sent by the client. If Kerberos
> >would happen to produce a string "484", then the authentication daemon
> >takes it literally and transforms to the numerical id.
> 
> I can't be understanding this correctly, am I?  Because my kerberos user 
> has the string "484" in it, which it does (along with a few other numbers), 

Not exactly.

If an account name _begins_ with a digit, it is considered to be
a string representation of an uid (I do not advocate this convention
nor criticize it but it is historically there in the code).

> coda mangles the coda _UID_ to match this random string in the kerberos 
> _username_?  Wouldn't it make a touch more since to simply use the coda UID 
> as the coda UID? 
> 
> This cannot be the desired behavior, is it? 

You are hopefully the only in Coda history to be hit by this
convention (even if it is a doubtful feature). I learned quite long ago
that there are many programs accepting both names and numbers who
do not like names which look like numbers. Hence user names beginning
with a digit is a doubtful approach even if it is totally correct in
a narrow context. Names tend to cross context boundaries.

> >To make it easier to analyze I wouls ask you to make the corresponding
> >clog using Coda password. You do not have to change anything in the
> >setup, just create a password for an account and tell clog to use the
> >codapassword method.
> 
> Nor use the codaauth service, I should think (nor perhaps even the DNS SRV 
> records?).  So noted for the future, but not needed now.  I have confirmed. 

No, you should not have to change anything in the setup, just be careful
to specify all the details on the clog command line.

> It is as you suspected.  As based on the above:  If there is a number in 
> the kerberos username, coda drops it's internal coda UID in favor of the 

This might be possible only when a "user name" begins with a digit.

> I've updated my random username generation algorithm to avoid numbers to
> work around this behavior and, low and behold, no more issue.

Have a nice day Don,
Rune