AW: [OpenAFS] AFS authentication against Active Directory & MIT
Kerberos V
Nathan Neulinger
nneul@umr.edu
Sun, 14 Apr 2002 15:23:29 -0500
If you these realms are truly intended to be equivalent, I would suggest
making a slightly modified krb524d that rewrites the realm before it
outputs the k4 ticket. That should be a trivial hack.
-- Nathan
Derek Atkins wrote:
>
> "Fabian Aichele" <faichele@primusnetz.de> writes:
>
> > Hello!
> >
> > Thank you for answering.
> > Sorry, but I didn't mention: I have two Kerberos realms, but only ONE AFS
> > cell.
>
> That's ok. This is still "cross-cell authentication", where you have
> one kerberos realm that is equal to your cellname and other which is
> not. Users in the "foreign" kerberos realm behave as foreign AFS
> users, but can still authenticate.
>
> > The two realms are HILARENHAUS.HILARITAS.DE and
> > LINUX.HILARENHAUS.HILARITAS.DE, the AFS cell is named
> > linux.hilarenhaus.hilaritas.de and uses the MIT Kerberos server that
> > controls LINUX.HILARENHAUS.HILARITAS.DE as authentication source.
> > Is it possible to make AFS accept user principals from both realms (provided
> > the according pts entries exist)? Or must I use an AFS cell that has
> > exactly the same name as my Kerberos realm?
>
> I don't know if OpenAFS has the code to treat multiple Kerberos Realms
> as equivalent. The only issue with using this code (if it exists) is
> that userX@REALM1 and userX@REALM2 are assumed to be the same user,
> which means you have to make sure that the two kerberos realms have a
> flat namespace.
>
> What I was saying earlier about cross-cell Authentication is the
> easier route to use, and works just fine in your current environment.
>
> Just create your cross-cell group in AFS using your administrator tokens:
>
> pts creategroup system:authuser@hilarenhaus.hilaritas.de \
> system:administrators -cell linux.hilarenhaus.hilaritas.de
>
> Then try your aklog again as your foreign user.
>
> -derek
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
------------------------------------------------------------
Nathan Neulinger EMail: nneul@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216