[OpenAFS-devel] Multiple AFS principals per pts id?

Neulinger, Nathan R. nneul@umr.edu
Thu, 4 Jan 2001 11:39:56 -0600 

One word. Politics. 

For the longest time, we weren't even going to be allowed to have
under-8-char userids in the second realm.

We're looking at a lot of options. One of them is just ignoring the whole
issue, and keep the realms completely separate, one using MS, and one using
MIT, no communication between the two. 

At the moment, I have AFS running against an MIT KDC, realm umr.edu. There
is another realm with equivalent (mostly) userids rolla.umr.edu. We're
trying to figure out the best way of dealing with the situation. Cross realm
(logging in with rolla.umr.edu) seems to be pretty reasonable.

Another option is renaming all machines, changing cell to rolla.umr.edu,
etc. but that comes with it's own large set of problems. I _know_ that
cross-realm works, but the ACLs and file ownership are the real issue there.
We can force the userids to be the same, that isn't a horrible problem.

-- Nathan

> -----Original Message-----
> From: Derek Atkins [mailto:warlord@MIT.EDU]
> Sent: Thursday, January 04, 2001 11:31 AM
> To: Neulinger, Nathan R.
> Cc: 'openafs-devel@openafs.org'
> Subject: Re: [OpenAFS-devel] Multiple AFS principals per pts id?
> 
> 
> "Neulinger, Nathan R." <nneul@umr.edu> writes:
> 
> > (In fact, that might even be a
> > reasonable approach - a new file in /usr/afs/etc called 
> "realms.equiv" that
> > listed any realms that should be considered equivalent to 
> the local realm.
> > Granted, that would only be suitable for *:* mappings, but 
> it would be a
> > simple start.
> 
> Now that you mention it, this _IS_ what we did.  We had a file that
> lists equivalent realms.  IIRC we still had to duplicate the keys in
> both realms, but you may be able to work around that.  Hrm, I wonder
> what happened to those patches?
> 
> > I think though that the benefits of having a PTS mapping 
> facility that would
> > map arbitrary kerberos principals to PTS ids would be quite 
> useful, and
> > would take the current cross-realm support to new levels. 
> > 
> > Your comment about duplicating AFS service key - that 
> sounds like something
> > I was thinking of, unfortunately, I'm not sure how you'd 
> actually go about
> > doing that with an MS KDC, since you can only put a 
> password in, not an
> > actual key. 
> 
> Are both KDCs MS KDC?  I do have to ask: why do you have two realms?
> Mapping multiple realms can cause LOTS of problems, unless both realms
> are under the same domain of control.  Basically, you have to be sure
> that any name duplication across realms really belongs to the same
> user.  Besides, if both realms are under the same domain of control,
> then why do you NEED two realms in the first place?
> 
> > -- Nathan
> 
> -derek
> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
>