[OpenAFS-devel] Anyone supporting multiple realms in a "all realms are equal" type of setup?

Neulinger, Nathan nneul@umr.edu
Wed, 22 Sep 2004 10:07:57 -0500


I have a scenario that I'm needing to treat 5 or 6 different kerberos
realms as equivalent for access to AFS even though they have different
sets of users in them. Other requirement is that users not have to type
in the full "user@realm" for acling.=20

Is anyone doing anything like this?

It looks to me like I will need to:

	1. Change login auth mechanism to support multiple realms as
able to log in to the same local user with password. (Either via SSH or
kerberos, without using .k5login)

	2. Switch afs to using a custom klog, probably based on
gssklog(d) that has a mapping file so that it generates a ticket for
main cell regardless of which realm requested the ticket.=20

Is there any less ugly way to do this?

One thought I had is that I could live with regular cross-realm if there
was some way to add "aliases" to PTS. That would solve the "regular
userid for the acl" problem and eliminate #2 above in lieu of just using
regular cross realm support. Basically, allow a PTS ID to have multiple
possible principal names, so that "nneul" would also be known as
"nneul@umr.edu" and "nneul@um.umsystem.edu", with only the primary
(short) name being returned in a ID-to-Name lookup.

Thoughts?

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-6679
UMR Information Technology             Fax: (573) 341-4216