[OpenAFS] Re: OpenAFS and AD trusts

Danko Antolovic dantolov@indiana.edu
Mon, 11 Jul 2011 20:23:11 -0400

Andrew and Derrick,

Thanks, but let me clarify: I am trying to separate the administrative part
of managing many user databases from the proper functions of the AFS server.

I want to have multiple domains like IU.EDU (school1.edu, school2.edu ...),
providing user creds for a single AFS installation.  I could list them all
in /usr/afs/etc/krb.conf, make all the asetkeys etc., but the idea is to
have the AD manage multiple domains via trusts to RESOURCE.NET, and have AFS
be aware of one domain only (you can see how this would be useful in the
case of many different services, all authenticating through RESOURCE.NET). 

In principle, a kerberizable service should be able to function like that;
my question is whether AFS can do it.

There is also the issue of the local (AFS) user namespace, but I am taking
one step at a time.


Danko Antolovic

-----Original Message-----
From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org]
On Behalf Of Andrew Deason
Sent: Monday, July 11, 2011 6:07 PM
To: openafs-info@openafs.org
Subject: [OpenAFS] Re: OpenAFS and AD trusts

On Mon, 11 Jul 2011 17:31:30 -0400
"Danko Antolovic" <dantolov@indiana.edu> wrote:

> The Open AFS configuration knows only about RESOURCE.NET, which is the
> default (and only) Kerb domain in /etc/krb5.conf, and is also the
> domain listed in /usr/afs/etc/krb.conf.

If I'm understanding your setup correctly, I'd think you want the IU.EDU
realm in krb.conf. You want 'user@IU.EDU' to be 'user' to AFS, right?
Then you want IU.EDU to be considered a local realm, and so you want it
in krb.conf.

You can get some more information about what's going on with name
mapping if you raise the fileserver debug level and/or turn on audit
logs. The fileserver manpage should have enough to let you know how
(look for mentions of TSTP and HUP for how to change the debug level on
the fly; you probably want to turn it up to at least 5). I'd expect
right now what you'd see is that user@IU.EDU is being considered a
foreign user; so the fileserver thinks they are 'user@iu.edu' instead of

Andrew Deason

OpenAFS-info mailing list