On Mar 12, 2006, at 3:01 PM, Elad Efrat wrote:

> The group list in a kauth_cred_t object is treated as an override
> group list, and used when a flag is set indicating that group searches
> should refer to it rather than dispatched to memberd.

That's not quite the way it works.

The group list in the kauth_cred_t is consulted first.  If there is a  
hit there, then owner of that credential is treated as a member of  
that group.  This is how the traditional BSD group list works in OS X.

The kauth_cred_t also has a "group membership check UID".  If that  
value is NOT set, then no consultation of the external group  
membership resolver is performed.

-- thorpej