[OpenAFS] Authenticating to two different cells at once ?

Giovanni Bracco bracco@frascati.enea.it
Mon, 03 Jun 2002 08:39:34 +0200


At 5/31/2002 05:07 PM -0500, you wrote:
> > I wish to know if I can authenticate to two different cells at once.
> >
> > My organization has two different AFS cells with different filespaces -
> > engin.umich.edu and umich.edu.
>
>We talked about this on the list a while back.  One suggestion (by me) was
>to modify pam_afs.so to accept a "cell=" argument so you could stack two
>pam_afs.so modules in your pam config, and make one required and one
>optional (or something similar).
>
>However, the general consensous was that people in such situations (two
>cells where users on cell B are a subset of users on cell A) should
>configure a single Krb5 realm (presumably with cell A's users), and then
>have the two AFS cells both authenticate against a single kerberos realm.
>Then you could get a single TGT, and then aklog twice -- once for each
>cell -- to get the tokens you need.
>
>[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]

I have also posted a similar question in the past but the last answer is 
not very satisfactory, as there are cases where the 2 cells are managed by 
different subjects and the "subset" criteria does not applies. In that 
situation a simpler machanism for double automatic authorization at login 
would be very usefull (.....tha'ts my case obviously!)

Giovanni

>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info

Giovanni Bracco
Associazione EURATOM-ENEA sulla Fusione
C.R.E. ENEA Frascati
Via E. Fermi 45
I-00044 Frascati (Roma) Italy
phone 00-39-06-9400-5597
FAX   00-39-06-9400-5735
E-mail  bracco@frascati.enea.it
WWW   http://fusfis.frascati.enea.it/~bracco