[OpenAFS] one afs/cell.domain princs per realm

[Ken Hornstein]

>In order to make the TTU.EDU princs appear local I had the 
>administrators of TTU.EDU create an afs/cs.ttu.edu@TTU.EDU in the 
>windows AD/Kerberos realm. It's not a v4 ticket obviously, but it was 
>created as DES-CBC-CRC. They don't run krb524 so I've tried to run one 
>locally using a keytab file containing afs/cs.ttu.edu for both realm 
>and point my clients to it. Things were running fine when I was only 
>using the afs/cs.ttu.edu@CS.TTU.EDU and the normal krb524 with -X 
>(crossrealm).

Well, the -X means "allow _V4_ crossrealm", which opens up a really big
security hole.  But hey, that's you realm, not mine :-/

The real problem is that what you're doing is unfortunately doomed to
failure.

The only way principals appear "local" to AFS is if the realm in
their Kerberos ticket matches the Kerberos realm defined for the AFS
server.  By default, the realm of the cell is the cell name.  You can
change the realm, but the real problem is that you're only allowed _one_
realm for an AFS cell to be in.  So you have two choices to do what
you want:

- Hack your 524 ticket converter to rewrite that foreign realm's tickets
  to have the "right" realm.  There's been code floating around to do
  that; I personally think that's scary, because of name collisions, but
  it's an option.
- Just use the TTU.EDU realm.  To do _that_ you have three options:

  - Convince them to run krb524.  I don't really understand why they wouldn't,
    but some people are a bit crazy.
  - Run it yourself, using a keytab they give you.  This means that you'll
    have to change aklog to point to "your" 524 converter (by default it
    uses one on the KDC).
  - Change aklog to simply mangle the V5 ticket appropriately.  See the
    mailing list archives for the discussion on this.  If you do
    this, Derrick Brashear will curse you until the day he dies, but
    he does that for _so_ many people, I think the effect is getting
    kinda diluted :-)

--Ken