(Illustration by Gaich Muramatsu)
Hi Don, On Mon, Mar 08, 2010 at 01:54:53AM -0800, Don disguising himself (or running) as root wrote: > >>>What does your /vice/auth2/AuthLog say at the time of clog? > >> > >>18:13:01 vid = 83886 > >>18:13:01 AuthNewConn(0x7da9cdba, 0, 66, 2, 83886) > >>22:11:47 vid = 484 > >>22:11:47 AuthNewConn(0x72199dd5, 0, 66, 2, 484) > >> > >>Where is coda getting this ID? Clearly it believes there is a 484, but > >>executing: pdbtool export /tmp/file1 /tmp/file2; grep 484 /tmp/file? > >>results in null output. > > > >It is Kerberos who produces the account name from the ticket the auth > >daemon acquires with the help of the data sent by the client. If Kerberos > >would happen to produce a string "484", then the authentication daemon > >takes it literally and transforms to the numerical id. > > I can't be understanding this correctly, am I? Because my kerberos user > has the string "484" in it, which it does (along with a few other numbers), Not exactly. If an account name _begins_ with a digit, it is considered to be a string representation of an uid (I do not advocate this convention nor criticize it but it is historically there in the code). > coda mangles the coda _UID_ to match this random string in the kerberos > _username_? Wouldn't it make a touch more since to simply use the coda UID > as the coda UID? > > This cannot be the desired behavior, is it? You are hopefully the only in Coda history to be hit by this convention (even if it is a doubtful feature). I learned quite long ago that there are many programs accepting both names and numbers who do not like names which look like numbers. Hence user names beginning with a digit is a doubtful approach even if it is totally correct in a narrow context. Names tend to cross context boundaries. > >To make it easier to analyze I wouls ask you to make the corresponding > >clog using Coda password. You do not have to change anything in the > >setup, just create a password for an account and tell clog to use the > >codapassword method. > > Nor use the codaauth service, I should think (nor perhaps even the DNS SRV > records?). So noted for the future, but not needed now. I have confirmed. No, you should not have to change anything in the setup, just be careful to specify all the details on the clog command line. > It is as you suspected. As based on the above: If there is a number in > the kerberos username, coda drops it's internal coda UID in favor of the This might be possible only when a "user name" begins with a digit. > I've updated my random username generation algorithm to avoid numbers to > work around this behavior and, low and behold, no more issue. Have a nice day Don, RuneReceived on 2010-03-08 05:47:34