[OpenAFS] Tokens, Tickets and two cells...

Frank Burkhardt fbo2@gmx.net
Wed, 20 Oct 2004 18:03:54 +0200


On Wed, Oct 20, 2004 at 06:03:42AM -0400, Jeffrey Altman wrote:

> It is perfectly acceptable to have a single Kerberos REALM provide
> authentication for two completely independent AFS cells.  The Kerberos
> realm simply provides two AFS service principals
> 	afs/cell-one@REALM
> 	afs/cell-two@REALM
> which in turn map to the AFS service key.  The AFS server then specifies
> an /usr/afs/etc/krb.conf file with a single line specifying the "REALM".
This file was the solution.

> In the case of cell and realm combinations "foo" / "FOO" and "bar" / 
> "BAR" I believe it is possible for cell "foo" to lie and say its realm 
> is "BAR" in krb.conf and for "bar" to lie and say its realm is "FOO".
> This will treat principals of both "FOO" and "BAR" to be local to each.
> However, you will need to ensure that "user@FOO" and "user@BAR" really
> are the same individual with the same authorization roles with regards
> to AFS.  If the two realms "FOO" and "BAR" are under separate 
> adminstrative domains this might be impossible to so which is one reason
> why this architecture along with any architectures which perform
> principal name re-writing are to be avoided.

good Point...

I'm going to remove one of those Realms.

Thank you very much,