[OpenAFS] system:authuser and cross realms

Derek Atkins warlord@MIT.EDU
04 Jul 2002 09:02:22 -0400


Gunnar Gunnarsson <gunnar@ki.ericsson.se> writes:

> I thought that if I have a cross relation to other realms ( sharing
> a common key ) then they would be accepted as system:authuser in my
> realm. Apperently it dosn't work like that. How can I accept those
> tokens as system:authuser in my cell and use them in acl and groups.

No, it doesn't work like that.  If realmA and realmB have kerberos
cross certification, then it is _POSSIBLE_ to setup cross-cell
authentication between cellA and cellB.  I'm only going to describe it
in one direction (they are separable).

- "A" creates a group: system:authuser@realmB

This allows users in realmB to "register" themselves in cellA.
"aklog" will do this automatically (I do not believe that 'klog' will
do this at all).  aklog effectively does the first time:
  - get tokens for foreign-cell
  - pts createuser user@localrealm -cell foreign-cell
  - get tokens for user@localrealm -cell foreign-cell

(All subsequent calls jump to the third step.)

- "A" sets the group quota to the max number of users they want to be
able to register.

Since users can register themselves, you may want to limit the
size of your "foreign" users groups...

At this point users in cellA can add system:authuser@realmB to their
ACLs.  Once people register you can add them individually to acls, too
(but only after they run through the "aklog/createuser/aklog"
process).

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available