[OpenAFS] multiple realms and foreign users

Christopher D. Clausen cclausen@acm.org
Sat, 10 Jun 2006 21:12:55 -0500

I have added an afs/<cell> principal from each of two realms 
(AD.UIUC.EDU and ACM.UIUC.EDU) to the KeyFiles on our AFS servers.  This 
allows tokens obtained with AD.UIUC.EDU credentials to work just like 
the ACM.UIUC.EDU credentials (i.e. users are NOT treated as foreign,) as 
I've been told it should.

Is it now safe to remove any @ad.uiuc.edu users that were auto-created 
by previous foreign user handling (using the cross-realm trust from AD 
to ACM)?

What about removing the system:authuser@ad.uiuc.edu group?

Do these any of these still need to exist?

Christopher D. Clausen