[OpenAFS] Authenticating to two different cells at once ?
Charles Clancy
security@xauth.net
Fri, 31 May 2002 17:07:17 -0500 (CDT)
> I wish to know if I can authenticate to two different cells at once.
>
> My organization has two different AFS cells with different filespaces -
> engin.umich.edu and umich.edu.
We talked about this on the list a while back. One suggestion (by me) was
to modify pam_afs.so to accept a "cell=" argument so you could stack two
pam_afs.so modules in your pam config, and make one required and one
optional (or something similar).
However, the general consensous was that people in such situations (two
cells where users on cell B are a subset of users on cell A) should
configure a single Krb5 realm (presumably with cell A's users), and then
have the two AFS cells both authenticate against a single kerberos realm.
Then you could get a single TGT, and then aklog twice -- once for each
cell -- to get the tokens you need.
[ t charles clancy ]-[ tclancy@uiuc.edu ]-[ uiuc.edu/~tclancy ]