[OpenAFS-devel] Multi-Realm Kerberos Support in 1.4.x
Christopher D. Clausen
cclausen@acm.org
Tue, 23 Sep 2008 11:22:47 -0500
Jason D. McCormick <jasonmc@sei.cmu.edu> wrote:
> In RT issue 58447 there's mention that the multi-realm Kerberos patch
> would be put into the 1.4 production branch around what looks like
> the release time of 1.4.5. However in looking at the patch and the
> code in 1.4.7 I don't see any support for specifying multiple realms
> in krb.conf. Am I missing something or was this not added? If it
> wasn't added, was there a reason it wasn't added that would cause
> problems if I started using the patch? I'm looking for a way to
> authenticate users from a "foreign" realm. The two K5 realms have a
> two-way trust but I don't want to have to create foreign-realm PTS
> entries, I want jasonmc@REALM1.COM and jasonmc@REALM2.COM to get the
> same PTS/token in the cell realm1.com.
I haven't had a problem (well, not a problem related to the patch
anyway) using the patch with the UIUC.EDU, AD.UIUC.EDU and
ILLIGAL.UIUC.EDU.
That patch will do what you want and you should be able to apply it
yourself and compile. Be aware of the security implications of trusting
the realms in this manner though. Whomever can create principals in
either realm can potentially gain access to your cell as a
system:administrator.
<<CDC