[OpenAFS] system:authuser and cross realms

Gunnar Gunnarsson gunnar@ki.ericsson.se
Fri, 5 Jul 2002 09:18:28 +0200 

But how do I create the group in my cell ?
With pts I get 
> pts cg system:authuser@realmB
pts: Badly formed name (group prefix doesn't match owner?) ; unable to create group system:authuser@wrn.ki.sw.ericsson.se 

Derek Atkins writes:
 > Gunnar Gunnarsson <gunnar@ki.ericsson.se> writes:
 > 
 > > I thought that if I have a cross relation to other realms ( sharing
 > > a common key ) then they would be accepted as system:authuser in my
 > > realm. Apperently it dosn't work like that. How can I accept those
 > > tokens as system:authuser in my cell and use them in acl and groups.
 > 
 > No, it doesn't work like that.  If realmA and realmB have kerberos
 > cross certification, then it is _POSSIBLE_ to setup cross-cell
 > authentication between cellA and cellB.  I'm only going to describe it
 > in one direction (they are separable).
 > 
 > - "A" creates a group: system:authuser@realmB
 > 
 > This allows users in realmB to "register" themselves in cellA.
 > "aklog" will do this automatically (I do not believe that 'klog' will
 > do this at all).  aklog effectively does the first time:
 >   - get tokens for foreign-cell
 >   - pts createuser user@localrealm -cell foreign-cell
 >   - get tokens for user@localrealm -cell foreign-cell
 > 
 > (All subsequent calls jump to the third step.)
 > 
 > - "A" sets the group quota to the max number of users they want to be
 > able to register.
 > 
 > Since users can register themselves, you may want to limit the
 > size of your "foreign" users groups...
 > 
 > At this point users in cellA can add system:authuser@realmB to their
 > ACLs.  Once people register you can add them individually to acls, too
 > (but only after they run through the "aklog/createuser/aklog"
 > process).
 > 
 > -derek
 > 
 > -- 
 >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
 >        Member, MIT Student Information Processing Board  (SIPB)
 >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
 >        warlord@MIT.EDU                        PGP key available
 > _______________________________________________
 > OpenAFS-info mailing list
 > OpenAFS-info@openafs.org
 > https://lists.openafs.org/mailman/listinfo/openafs-info