[OpenAFS] Re: OS X Lion: multiple Kerberos realms ?

Harald Barth haba@kth.se
Thu, 19 Jul 2012 10:50:45 +0200 (CEST)

>> 	1. work a political miracle and get a Unix kerberos
>> 	   service principal for Samba, then use just the Unix
>> 	   realm.
> If I'm understanding your scenario right, I think you are missing two
> other options:
> 3. Create an AFS service principal in the AD realm.
> 4. Create a cross-realm trust between the two realms. The AFS service
> principal lives in the Unix realm, and the users get tickets for AD.
> Both of these let you authenticate to AFS while having tickets only for
> AD.

As we have the same situation at KTH that the keeper of the AD will not
do such things unless pigz fliez, I understand Gabriel's problem. I have
been juggling with small scripts that do set KRB5CCNAME, then authenticate
without afslog and then afslog to a specific cell in that tokens context
for years. But it still fails in situations where a program expects to
have its credentials in a single KRB5CCNAME like thunderbird towards
different realms.

So what tools do we have for "alien" multi realm scenarios?