[OpenAFS-devel] Multiple AFS principals per pts id?
Derek Atkins
warlord@MIT.EDU
04 Jan 2001 12:49:08 -0500
Sorry, you're too far up in the stack for me.. I tend to stop
at the Application layer and ignore everything above it ;)
-derek
"Neulinger, Nathan R." <nneul@umr.edu> writes:
> One word. Politics.
>
> For the longest time, we weren't even going to be allowed to have
> under-8-char userids in the second realm.
>
> We're looking at a lot of options. One of them is just ignoring the whole
> issue, and keep the realms completely separate, one using MS, and one using
> MIT, no communication between the two.
>
> At the moment, I have AFS running against an MIT KDC, realm umr.edu. There
> is another realm with equivalent (mostly) userids rolla.umr.edu. We're
> trying to figure out the best way of dealing with the situation. Cross realm
> (logging in with rolla.umr.edu) seems to be pretty reasonable.
>
> Another option is renaming all machines, changing cell to rolla.umr.edu,
> etc. but that comes with it's own large set of problems. I _know_ that
> cross-realm works, but the ACLs and file ownership are the real issue there.
> We can force the userids to be the same, that isn't a horrible problem.
>
> -- Nathan
>
> > -----Original Message-----
> > From: Derek Atkins [mailto:warlord@MIT.EDU]
> > Sent: Thursday, January 04, 2001 11:31 AM
> > To: Neulinger, Nathan R.
> > Cc: 'openafs-devel@openafs.org'
> > Subject: Re: [OpenAFS-devel] Multiple AFS principals per pts id?
> >
> >
> > "Neulinger, Nathan R." <nneul@umr.edu> writes:
> >
> > > (In fact, that might even be a
> > > reasonable approach - a new file in /usr/afs/etc called
> > "realms.equiv" that
> > > listed any realms that should be considered equivalent to
> > the local realm.
> > > Granted, that would only be suitable for *:* mappings, but
> > it would be a
> > > simple start.
> >
> > Now that you mention it, this _IS_ what we did. We had a file that
> > lists equivalent realms. IIRC we still had to duplicate the keys in
> > both realms, but you may be able to work around that. Hrm, I wonder
> > what happened to those patches?
> >
> > > I think though that the benefits of having a PTS mapping
> > facility that would
> > > map arbitrary kerberos principals to PTS ids would be quite
> > useful, and
> > > would take the current cross-realm support to new levels.
> > >
> > > Your comment about duplicating AFS service key - that
> > sounds like something
> > > I was thinking of, unfortunately, I'm not sure how you'd
> > actually go about
> > > doing that with an MS KDC, since you can only put a
> > password in, not an
> > > actual key.
> >
> > Are both KDCs MS KDC? I do have to ask: why do you have two realms?
> > Mapping multiple realms can cause LOTS of problems, unless both realms
> > are under the same domain of control. Basically, you have to be sure
> > that any name duplication across realms really belongs to the same
> > user. Besides, if both realms are under the same domain of control,
> > then why do you NEED two realms in the first place?
> >
> > > -- Nathan
> >
> > -derek
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
> >
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available