[OpenAFS] one afs/cell.domain princs per realm

Kevin Coffman kwc@citi.umich.edu
Wed, 27 Aug 2003 13:39:53 -0400


> So, if few people use gssklog, that means that you've only got Doug to
> help you when there are problems.  Maybe there won't BE any problems,
> but I am doubtful.  Not that I think gssklog is a bad piece of software,
> but it's been my experience that when you're starting out with AFS
> and trying to put a seperate Kerberos realm in the mix, you're
> going to have some problems, simply due to a lack of experience and
> the complexity of the different parts.
> 
> If I was in your situation, knowing what I know now, I'd do one of
> two things:
> 
> - I'd investigate the relocating of the krb524d server, similar to what
>   other people who are stuck using Windows AD servers are doing.
> - I'd have aklog do the krb5 ticket mangling itself.

Doesn't number two present all the problems you have with gssklog?
He'll have only himself to maintain a different aklog and others
trying to get to his cell will need his aklog.