AW: [OpenAFS] AFS authentication against Active Directory & MIT Kerberos V

Nathan Neulinger nneul@umr.edu
Sun, 14 Apr 2002 15:23:29 -0500 

If you these realms are truly intended to be equivalent, I would suggest
making a slightly modified krb524d that rewrites the realm before it
outputs the k4 ticket. That should be a trivial hack.

-- Nathan

Derek Atkins wrote:
> 
> "Fabian Aichele" <faichele@primusnetz.de> writes:
> 
> > Hello!
> >
> > Thank you for answering.
> > Sorry, but I didn't mention: I have two Kerberos realms, but only ONE AFS
> > cell.
> 
> That's ok.  This is still "cross-cell authentication", where you have
> one kerberos realm that is equal to your cellname and other which is
> not.  Users in the "foreign" kerberos realm behave as foreign AFS
> users, but can still authenticate.
> 
> > The two realms are HILARENHAUS.HILARITAS.DE and
> > LINUX.HILARENHAUS.HILARITAS.DE, the AFS cell is named
> > linux.hilarenhaus.hilaritas.de and uses the MIT Kerberos server that
> > controls LINUX.HILARENHAUS.HILARITAS.DE as authentication source.
> > Is it possible to make AFS accept user principals from both realms (provided
> > the according pts entries exist)? Or must I use an AFS cell that   has
> > exactly the same name as my Kerberos realm?
> 
> I don't know if OpenAFS has the code to treat multiple Kerberos Realms
> as equivalent.  The only issue with using this code (if it exists) is
> that userX@REALM1 and userX@REALM2 are assumed to be the same user,
> which means you have to make sure that the two kerberos realms have a
> flat namespace.
> 
> What I was saying earlier about cross-cell Authentication is the
> easier route to use, and works just fine in your current environment.
> 
> Just create your cross-cell group in AFS using your administrator tokens:
> 
>         pts creategroup system:authuser@hilarenhaus.hilaritas.de \
>                 system:administrators -cell linux.hilarenhaus.hilaritas.de
> 
> Then try your aklog again as your foreign user.
> 
> -derek
> 
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 


------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216