[OpenAFS] OS X Lion: multiple Kerberos realms ?

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 18 Jul 2012 12:13:58 -0400


Why are you using two Kerberos realms in this scenario?
I recommend that you add an afs service principal to the Samba realm and
use that to authenticate your users to both services.

At the very least, use cross-realm authentication between the realms and
keep all of the users in the Samba realm and leave the afs service 
principal
in the other.

If you are using separate Kerberos realms, be sure to use separate DNS
subdomains for the hosts that are authenticated by each.

Jeffrey Altman

On Wednesday, July 18, 2012 12:06:24 PM, Gabriel L. Somlo wrote:
> Hi,
>
> I have the same username in two different Kerberos realms. One realm
> authenticates the OpenAFS cell I am trying to use. The other realm
> authenticats a Samba server from which I'm also trying to map shares.
>
> Without loss of generality, I could be attempting to use AFS home
> directories in two separate cells backed by separate kerberos realms,
> in which I happen to have the same user name.
>
> I managed to automatically acquire Kerberos tickets on login to Lion,
> using this method:
>
> Start /System/Library/CoreServices/Directory Utility;
> Pick the "Directory Editor" tab
> Under "users", find the appropriate user account
> Under "AuthenticationAuthority", add a line:
>
> 	;Kerberosv5;;user@REALM1.EXAMPLE.COM;REALM1.EXAMPLE.COM
>
>
> This gets me tickets for user@REALM1; but if I add two lines, one for
> each of user@REALM1 and user@REALM2, I only get tickets for the first
> listed realm, and not for the second one (both work if they're either
> first or the only one listed).
>
> Any OSX/Lion experts out there who know how to force acquisition of
> Kerb tickets from more than one realm upon login ?
>
> Thanks,
> --Gabriel
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info