[OpenAFS-devel] Multiple AFS principals per pts id?
Neulinger, Nathan R.
nneul@umr.edu
Thu, 4 Jan 2001 10:38:26 -0600
True, but unfortunately, I'm not talking about doing this for myself (I
already do it for myself with cross-realm) - I'm talking about doing it for
thousands of userids, and several hundred gigs worth of AFS data.
For the short term, I was considering that I might be able to modify the AFS
servers to strip off a particular string off the end of principal names
prior to doing any ptserver lookups. It's an ugly hack, but it would suffice
temporarily until a better solution came about. (i.e. sortof a AFS Server
"hosts.equiv"/"realms.equiv" type facility. (In fact, that might even be a
reasonable approach - a new file in /usr/afs/etc called "realms.equiv" that
listed any realms that should be considered equivalent to the local realm.
Granted, that would only be suitable for *:* mappings, but it would be a
simple start.
I think though that the benefits of having a PTS mapping facility that would
map arbitrary kerberos principals to PTS ids would be quite useful, and
would take the current cross-realm support to new levels.
Your comment about duplicating AFS service key - that sounds like something
I was thinking of, unfortunately, I'm not sure how you'd actually go about
doing that with an MS KDC, since you can only put a password in, not an
actual key.
-- Nathan
> -----Original Message-----
> From: Derek Atkins [mailto:warlord@MIT.EDU]
> Sent: Thursday, January 04, 2001 10:28 AM
> To: Neulinger, Nathan R.
> Cc: 'openafs-devel@openafs.org'
> Subject: Re: [OpenAFS-devel] Multiple AFS principals per pts id?
>
>
> IIRC, I was able to do this a while ago by duplicating the afs service
> key in both realms. I seem to recall that this worked, but this was
> back in the early 90s, and all the affected systems have been in the
> trash for several years by now.
>
> Alternatively, you can use the standard AFS cross-realm
> authentication,
> and you can use groups to combine users. For example:
>
> ~% pts mem warlord:warlord
> Members of warlord:warlord (id: -99013) are:
> warlord
> warlord.root
> warlord@ihtfp.org
> warlord.root@ihtfp.org
>
> Then you can just use the id 'warlord:warlord' on all acls and it gets
> all instances of 'me'. You could even automate it and use system
> groups.
>
> -derek
>
> "Neulinger, Nathan R." <nneul@umr.edu> writes:
>
> > Would it be possible to modify the ptserver to allow
> multiple principal
> > names per pts id?
> >
> > I.e. I'd like to be able to have princ@REALM1 and
> princ@REALM2 when run
> > through aklog, both get the same pts id. Obviously the
> reverse lookup (get
> > name from id) would only return 1. Or alternatively, I
> guess I'm looking for
> > a way to modify the ptserver to be able to establish a cross-realm
> > trust/equivalency. (I would actually not have any objection
> to the ptserver
> > simply treating the two realms as 100% equivalent as one
> possible approach.)
> >
> >
> > Ideally, some way of saying "if I aklog with princ@REALM2,
> I want it to look
> > up the mapping to see what AFS access it really should give
> me as opposed to
> > princ@REALM2."
> >
> > -- Nathan
> >
> > ------------------------------------------------------------
> > Nathan Neulinger EMail: nneul@umr.edu
> > University of Missouri - Rolla Phone: (573) 341-4841
> > Computing Services Fax: (573) 341-4216
> > _______________________________________________
> > OpenAFS-devel mailing list
> > OpenAFS-devel@openafs.org
> > https://lists.openafs.org/mailman/listinfo.cgi/openafs-devel
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available
>