AW: [OpenAFS] AFS authentication against Active Directory & MIT Kerberos V

Derek Atkins openafs-info@openafs.org
14 Apr 2002 13:02:00 -0400


"Fabian Aichele" <faichele@primusnetz.de> writes:

> Hello!
> 
> Thank you for answering.
> Sorry, but I didn't mention: I have two Kerberos realms, but only ONE AFS
> cell.

That's ok.  This is still "cross-cell authentication", where you have
one kerberos realm that is equal to your cellname and other which is
not.  Users in the "foreign" kerberos realm behave as foreign AFS
users, but can still authenticate.

> The two realms are HILARENHAUS.HILARITAS.DE and
> LINUX.HILARENHAUS.HILARITAS.DE, the AFS cell is named
> linux.hilarenhaus.hilaritas.de and uses the MIT Kerberos server that
> controls LINUX.HILARENHAUS.HILARITAS.DE as authentication source.
> Is it possible to make AFS accept user principals from both realms (provided
> the according pts entries exist)? Or must I use an AFS cell that   has
> exactly the same name as my Kerberos realm?

I don't know if OpenAFS has the code to treat multiple Kerberos Realms
as equivalent.  The only issue with using this code (if it exists) is
that userX@REALM1 and userX@REALM2 are assumed to be the same user,
which means you have to make sure that the two kerberos realms have a
flat namespace.

What I was saying earlier about cross-cell Authentication is the
easier route to use, and works just fine in your current environment.

Just create your cross-cell group in AFS using your administrator tokens:

        pts creategroup system:authuser@hilarenhaus.hilaritas.de \
                system:administrators -cell linux.hilarenhaus.hilaritas.de

Then try your aklog again as your foreign user.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available