[OpenAFS-devel] Anyone supporting multiple realms in a "all realms are equal" type of setup?

Neulinger, Nathan nneul@umr.edu
Wed, 22 Sep 2004 10:44:52 -0500 

Yeah, it sounds very much like what we are needing to do...=20

I'll still need to modify kerberos and ssh (since I don't see any way to
get krb login or ssh to accept login for X from more than one different
realm) - but not having to modify AFS on the clients is a big plus.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-6679
UMR Information Technology             Fax: (573) 341-4216
=20

> -----Original Message-----
> From: openafs-devel-admin@openafs.org=20
> [mailto:openafs-devel-admin@openafs.org] On Behalf Of Mark Montague
> Sent: Wednesday, September 22, 2004 10:20 AM
> To: openafs-devel@openafs.org
> Subject: Re: [OpenAFS-devel] Anyone supporting multiple=20
> realms in a "all realms are equal" type of setup?
>=20
> On Wed, 22 Sep 2004, Neulinger, Nathan wrote:
>=20
> > I have a scenario that I'm needing to treat 5 or 6=20
> different kerberos
> > realms as equivalent for access to AFS even though they=20
> have different
> > sets of users in them. Other requirement is that users not=20
> have to type
> > in the full "user@realm" for acling.
>=20
> Not sure if this is exactly what you want, but the lsa.umich.edu
> cell accepts Kerberos credentials from either the LSA.UMICH.EDU
> Kerberos realm or the UMICH.EDU Kerberos realm when issuing
> tokens for the lsa.umich.edu cell.  No changes to SSH, Kerberos,
> PAM, SSH, or anything else on the client side were necessary for
> this (aside from the fact that you'll need to use kinit+aklog
> instead of klog in order to present the Kerberos tickets to AFS).
> You'll need an appropriate AFS principal added to your Kerberos
> server (afs/cell@REALM -- e.g., afs/lsa.umich.edu@UMICH.EDU).
> On the AFS server, implementing this requires creating a
> /usr/afs/etc/krb.conf file with the appropriate realm(s),
> and adding a key for the other Kerberos realm's AFS principal
> to your /usr/afs/etc/KeyFile so that the AFS server will
> trust the other Kerberos realm.
>=20
> This scheme uses the PTS users of the local cell, so users
> never have to type "user@realm" for anything.  But it does
> mean that all users from the other Kerberos realms will need
> to be added to your local cell's PTS database, things are
> not "automatic" in this regard.
>=20
> Note that I did not do the work described above in our
> environment, but if this sounds useful to you I can get
> you the complete list of steps we followed and put you in
> touch with the right people here.
>=20
>                 Mark Montague
>                 LS&A Information Technology
>                 The University of Michigan
>                 markmont@umich.edu
>=20
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>=20
>=20