[OpenAFS-devel] Multiple AFS principals per pts id?

Derek Atkins warlord@MIT.EDU
04 Jan 2001 12:49:08 -0500


Sorry, you're too far up in the stack for me..  I tend to stop
at the Application layer and ignore everything above it ;)

-derek

"Neulinger, Nathan R." <nneul@umr.edu> writes:

> One word. Politics. 
> 
> For the longest time, we weren't even going to be allowed to have
> under-8-char userids in the second realm.
> 
> We're looking at a lot of options. One of them is just ignoring the whole
> issue, and keep the realms completely separate, one using MS, and one using
> MIT, no communication between the two. 
> 
> At the moment, I have AFS running against an MIT KDC, realm umr.edu. There
> is another realm with equivalent (mostly) userids rolla.umr.edu. We're
> trying to figure out the best way of dealing with the situation. Cross realm
> (logging in with rolla.umr.edu) seems to be pretty reasonable.
> 
> Another option is renaming all machines, changing cell to rolla.umr.edu,
> etc. but that comes with it's own large set of problems. I _know_ that
> cross-realm works, but the ACLs and file ownership are the real issue there.
> We can force the userids to be the same, that isn't a horrible problem.
> 
> -- Nathan
> 
> > -----Original Message-----
> > From: Derek Atkins [mailto:warlord@MIT.EDU]
> > Sent: Thursday, January 04, 2001 11:31 AM
> > To: Neulinger, Nathan R.
> > Cc: 'openafs-devel@openafs.org'
> > Subject: Re: [OpenAFS-devel] Multiple AFS principals per pts id?
> > 
> > 
> > "Neulinger, Nathan R." <nneul@umr.edu> writes:
> > 
> > > (In fact, that might even be a
> > > reasonable approach - a new file in /usr/afs/etc called 
> > "realms.equiv" that
> > > listed any realms that should be considered equivalent to 
> > the local realm.
> > > Granted, that would only be suitable for *:* mappings, but 
> > it would be a
> > > simple start.
> > 
> > Now that you mention it, this _IS_ what we did.  We had a file that
> > lists equivalent realms.  IIRC we still had to duplicate the keys in
> > both realms, but you may be able to work around that.  Hrm, I wonder
> > what happened to those patches?
> > 
> > > I think though that the benefits of having a PTS mapping 
> > facility that would
> > > map arbitrary kerberos principals to PTS ids would be quite 
> > useful, and
> > > would take the current cross-realm support to new levels. 
> > > 
> > > Your comment about duplicating AFS service key - that 
> > sounds like something
> > > I was thinking of, unfortunately, I'm not sure how you'd 
> > actually go about
> > > doing that with an MS KDC, since you can only put a 
> > password in, not an
> > > actual key. 
> > 
> > Are both KDCs MS KDC?  I do have to ask: why do you have two realms?
> > Mapping multiple realms can cause LOTS of problems, unless both realms
> > are under the same domain of control.  Basically, you have to be sure
> > that any name duplication across realms really belongs to the same
> > user.  Besides, if both realms are under the same domain of control,
> > then why do you NEED two realms in the first place?
> > 
> > > -- Nathan
> > 
> > -derek
> > -- 
> >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >        Member, MIT Student Information Processing Board  (SIPB)
> >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >        warlord@MIT.EDU                        PGP key available
> > 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available