[OpenAFS] one afs/cell.domain princs per realm

Ken Hornstein kenh@cmf.nrl.navy.mil
Wed, 27 Aug 2003 13:24:12 -0400


>I'm looking at Doug's kerberos 5 modifications below and also the 
>gssklog. Any suggestions as two which might fit better? Maybe a 
>combination of the two?
>I may be able to just do one REALM, and that being ttu.edu. But I must 
>create a cell called cs.ttu.edu, and have the users be local.
>I'll have to run any krb524ness within my boxes. TTU.EDU is a windows 
>AD domain and they are not likely to run krb524. Thanks for all the 
>direction and support thus far.

My main issue is with gssklog is that my impression is that relatively
few people use it.  I don't know of anyone outside of Doug, actually.
This isn't a scientific survey; it's just a "gut feeling".  There could
be tens of thousands of people out there using gssklog, and they're
just quiet about it.  Well, okay, I have one other minor issue, which
relates to the "few people using it" issue; if you're ever going to
want someone else to use your cell, they're not likely to have gssklog,
they're more likely to have one of the V5 aklog variants.

So, if few people use gssklog, that means that you've only got Doug to
help you when there are problems.  Maybe there won't BE any problems,
but I am doubtful.  Not that I think gssklog is a bad piece of software,
but it's been my experience that when you're starting out with AFS
and trying to put a seperate Kerberos realm in the mix, you're
going to have some problems, simply due to a lack of experience and
the complexity of the different parts.

If I was in your situation, knowing what I know now, I'd do one of
two things:

- I'd investigate the relocating of the krb524d server, similar to what
  other people who are stuck using Windows AD servers are doing.
- I'd have aklog do the krb5 ticket mangling itself.

But this is just my opinion.

--Ken