[OpenAFS-devel] Multiple AFS principals per pts id?

Derek Atkins warlord@MIT.EDU
04 Jan 2001 12:30:30 -0500


"Neulinger, Nathan R." <nneul@umr.edu> writes:

> (In fact, that might even be a
> reasonable approach - a new file in /usr/afs/etc called "realms.equiv" that
> listed any realms that should be considered equivalent to the local realm.
> Granted, that would only be suitable for *:* mappings, but it would be a
> simple start.

Now that you mention it, this _IS_ what we did.  We had a file that
lists equivalent realms.  IIRC we still had to duplicate the keys in
both realms, but you may be able to work around that.  Hrm, I wonder
what happened to those patches?

> I think though that the benefits of having a PTS mapping facility that would
> map arbitrary kerberos principals to PTS ids would be quite useful, and
> would take the current cross-realm support to new levels. 
> 
> Your comment about duplicating AFS service key - that sounds like something
> I was thinking of, unfortunately, I'm not sure how you'd actually go about
> doing that with an MS KDC, since you can only put a password in, not an
> actual key. 

Are both KDCs MS KDC?  I do have to ask: why do you have two realms?
Mapping multiple realms can cause LOTS of problems, unless both realms
are under the same domain of control.  Basically, you have to be sure
that any name duplication across realms really belongs to the same
user.  Besides, if both realms are under the same domain of control,
then why do you NEED two realms in the first place?

> -- Nathan

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available