[OpenAFS-devel] Anyone supporting multiple realms in a "all
realms are equal" type of setup?
Mark Montague
markmont@umich.edu
Wed, 22 Sep 2004 11:19:34 -0400 (EDT)
On Wed, 22 Sep 2004, Neulinger, Nathan wrote:
> I have a scenario that I'm needing to treat 5 or 6 different kerberos
> realms as equivalent for access to AFS even though they have different
> sets of users in them. Other requirement is that users not have to type
> in the full "user@realm" for acling.
Not sure if this is exactly what you want, but the lsa.umich.edu
cell accepts Kerberos credentials from either the LSA.UMICH.EDU
Kerberos realm or the UMICH.EDU Kerberos realm when issuing
tokens for the lsa.umich.edu cell. No changes to SSH, Kerberos,
PAM, SSH, or anything else on the client side were necessary for
this (aside from the fact that you'll need to use kinit+aklog
instead of klog in order to present the Kerberos tickets to AFS).
You'll need an appropriate AFS principal added to your Kerberos
server (afs/cell@REALM -- e.g., afs/lsa.umich.edu@UMICH.EDU).
On the AFS server, implementing this requires creating a
/usr/afs/etc/krb.conf file with the appropriate realm(s),
and adding a key for the other Kerberos realm's AFS principal
to your /usr/afs/etc/KeyFile so that the AFS server will
trust the other Kerberos realm.
This scheme uses the PTS users of the local cell, so users
never have to type "user@realm" for anything. But it does
mean that all users from the other Kerberos realms will need
to be added to your local cell's PTS database, things are
not "automatic" in this regard.
Note that I did not do the work described above in our
environment, but if this sounds useful to you I can get
you the complete list of steps we followed and put you in
touch with the right people here.
Mark Montague
LS&A Information Technology
The University of Michigan
markmont@umich.edu