[OpenAFS-devel] Multiple AFS principals per pts id?

Neulinger, Nathan R. nneul@umr.edu
Thu, 4 Jan 2001 10:38:26 -0600


True, but unfortunately, I'm not talking about doing this for myself (I
already do it for myself with cross-realm) - I'm talking about doing it for
thousands of userids, and several hundred gigs worth of AFS data.

For the short term, I was considering that I might be able to modify the AFS
servers to strip off a particular string off the end of principal names
prior to doing any ptserver lookups. It's an ugly hack, but it would suffice
temporarily until a better solution came about. (i.e. sortof a AFS Server
"hosts.equiv"/"realms.equiv" type facility. (In fact, that might even be a
reasonable approach - a new file in /usr/afs/etc called "realms.equiv" that
listed any realms that should be considered equivalent to the local realm.
Granted, that would only be suitable for *:* mappings, but it would be a
simple start.

I think though that the benefits of having a PTS mapping facility that would
map arbitrary kerberos principals to PTS ids would be quite useful, and
would take the current cross-realm support to new levels. 

Your comment about duplicating AFS service key - that sounds like something
I was thinking of, unfortunately, I'm not sure how you'd actually go about
doing that with an MS KDC, since you can only put a password in, not an
actual key. 

-- Nathan

> -----Original Message-----
> From: Derek Atkins [mailto:warlord@MIT.EDU]
> Sent: Thursday, January 04, 2001 10:28 AM
> To: Neulinger, Nathan R.
> Cc: 'openafs-devel@openafs.org'
> Subject: Re: [OpenAFS-devel] Multiple AFS principals per pts id?
> 
> 
> IIRC, I was able to do this a while ago by duplicating the afs service
> key in both realms.  I seem to recall that this worked, but this was
> back in the early 90s, and all the affected systems have been in the
> trash for several years by now.
> 
> Alternatively, you can use the standard AFS cross-realm 
> authentication,
> and you can use groups to combine users.  For example:
> 
> ~% pts mem warlord:warlord
> Members of warlord:warlord (id: -99013) are:
> 	warlord
> 	warlord.root
> 	warlord@ihtfp.org
> 	warlord.root@ihtfp.org
> 
> Then you can just use the id 'warlord:warlord' on all acls and it gets
> all instances of 'me'.  You could even automate it and use system
> groups.
> 
> -derek
> 
> "Neulinger, Nathan R." <nneul@umr.edu> writes:
> 
> > Would it be possible to modify the ptserver to allow 
> multiple principal
> > names per pts id? 
> > 
> > I.e. I'd like to be able to have princ@REALM1 and 
> princ@REALM2 when run
> > through aklog, both get the same pts id. Obviously the 
> reverse lookup (get
> > name from id) would only return 1. Or alternatively, I 
> guess I'm looking for
> > a way to modify the ptserver to be able to establish a cross-realm
> > trust/equivalency. (I would actually not have any objection 
> to the ptserver
> > simply treating the two realms as 100% equivalent as one 
> possible approach.)
> > 
> > 
> > Ideally, some way of saying "if I aklog with princ@REALM2, 
> I want it to look
> > up the mapping to see what AFS access it really should give 
> me as opposed to
> > princ@REALM2."
> > 
> > -- Nathan
> > 
> > ------------------------------------------------------------
> > Nathan Neulinger                       EMail:  nneul@umr.edu
> > University of Missouri - Rolla         Phone: (573) 341-4841
> > Computing Services                       Fax: (573) 341-4216
> > _______________________________________________
> > OpenAFS-devel mailing list
> > OpenAFS-devel@openafs.org
> > https://lists.openafs.org/mailman/listinfo.cgi/openafs-devel
> 
> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
>