[OpenAFS] Automatic AFS authentication on more than 1 cell

Giovanni Bracco bracco@frascati.enea.it
Thu, 28 Feb 2002 13:10:50 +0100

At 2/28/2002 06:19 AM -0500, you wrote:
>Giovanni Bracco <bracco@frascati.enea.it> writes:
> > In the implementation it would be better not to modify the pam arguments
> > but to add another file of the same type as "ThisCell" like "OtherCells"
> > containing al list of cells,comma separated. If the file does not exist
> > nothing new is performed. Does it sound reasonable?
>It would be better if this were per-user.  If every user in ThisCell
>exists under the same principal name in OtherCells, then why
>have 2 cells?  Chances are, you have some people who are missing,
>and sooner or later, unless your various system administrators coordinate
>things carefully, you'll end up with duplicate names, or people with
>different names in different cells.
>Here at the university of michigan, we've tried to support a slightly
>more flexible scheme:
>each user can have a file,
>         .principals
>that specifies additional realms in which to get kerberos tickets.
>Thid idea is to have one or more lines like this:
>         # this line ignored
>         @ENGIN.UMICH.EDU
>         marcus@WELL.COM &
>         mwatts@CYBERSPACE.ORG
>Once authentication is accepted in the primary realm, login (or
>whatever) can then go off & get these additional tickets,
>potentially under a different name, and possibly in the background.

do you mean that the user must not provide explicitely password for the 
other cells (e.g. in ssh connection to the main cell), providing that the 
password is the same on the different cells/users?

If that is the case this solution also looks great and surely is more 
flexible. Can it be implemented in OpenAFS?


Giovanni Bracco
Associazione EURATOM-ENEA sulla Fusione
C.R.E. ENEA Frascati
Via E. Fermi 45
I-00044 Frascati (Roma) Italy
phone 00-39-06-9400-5597
FAX   00-39-06-9400-5735
E-mail  bracco@frascati.enea.it
WWW   http://fusfis.frascati.enea.it/~bracco