[OpenAFS] cross-realm afs client access
Derek T. Yarnell
derek@cs.umd.edu
Mon, 30 Aug 2004 11:09:52 -0400
Alright I have two kerberos realms CS.UMD.EDU and CSIC.UMD.EDU.
CSIC.UMD.EDU has a afs cell with the same name.
I am using all the same CellServDB files with the CSIC and CS realms.
[derek@macdonald users]$ klist
Ticket cache: FILE:/tmp/krb5cc_2174_Qu251L
Default principal: derek@CS.UMD.EDU
Valid starting Expires Service principal
08/30/04 10:21:27 09/01/04 10:21:27 krbtgt/CS.UMD.EDU@CS.UMD.EDU
renew until 09/01/04 10:21:27
08/30/04 10:21:31 09/01/04 10:21:27 krbtgt/CSIC.UMD.EDU@CS.UMD.EDU
renew until 09/01/04 10:21:27
08/30/04 10:21:31 08/30/04 20:21:31 afs/csic.umd.edu@CSIC.UMD.EDU
renew until 08/30/04 10:21:31
[derek@macdonald users]$ aklog -d
Authenticating to cell csic.umd.edu (server queasy.csic.umd.edu).
We've deduced that we need to authenticate to realm CSIC.UMD.EDU.
Getting tickets: afs/csic.umd.edu@CSIC.UMD.EDU
About to resolve name derek@CS.UMD.EDU to id in cell csic.umd.edu.
Id 32766
doing first-time registration of derek@cs.umd.edu at csic.umd.edu
aklog: Badly formed name (group prefix doesn't match owner?) so unable
to create remote PTS user derek@cs.umd.edu in cell csic.umd.edu (status:
267272).
Set username to derek@cs.umd.edu
Setting tokens. derek@cs.umd.edu / @ CS.UMD.EDU
When I try to create a user in the csic realm with the whole name it
doesn't work either,
[derek@queasy derek]# pts createuser -name derek@cs.umd.edu -id 217400
pts: Badly formed name (group prefix doesn't match owner?) ; unable to
create user derek@cs.umd.edu with id 217400
Personally I would like to not have users of username@cs.umd.edu in the
CSIC realm/cell because everyone in CS that would access CSIC would have
an account in both. Is there a way to map derek@cs.umd.edu to just
derek?
--
Derek T. Yarnell
UNIX System Administrator
Computer Science Deparment
University of Maryland