[OpenAFS] does cross-realm aklog require REQUIRES_PRE_AUTH attribute?
Adam Megacz
megacz@cs.berkeley.edu
Sat, 05 May 2007 12:48:12 -0700
I've found that when doing cross-realm trust between two AFS cells
(both in MIT KDC realms), the foreign-realm principal trying to
acquire tokens in the local realm must have REQUIRES_PRE_AUTH as an
attribute in his/her realm in order for aklog to work.
Is this to be expected, or is it a side effect of some mistake I made?
If this is the case ("cross-realm only works when REQUIRES_PRE_AUTH is
enabled") I can arrange for that attribute to be turned on for all the
necessary users. I just wanted to see if it was necessary before
asking for this to be done, and perhaps understand why it is necessary.
Thanks,
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380