[OpenAFS] General crossrealm setup

[Chris McClimans]

I'm trying to allow users that only exist in a foreign realm, to have 
an afs user and unix/ldap information for my department automatically 
created the first time they login. I may be going about this all wrong, 
but I wanted to get this in front of some other afs folks for more 
discussion.

We want to standardize the unix ID used across campus (the unix UID 
gecos field). Currently all departments have there own ideas and 
databases on NIS, NIS+, files, departmental LDAP, etc. The main IT 
department on campus is using Microsoft AD/LDAP and KDC's. So I'd like 
to base all my unix/afs information on data available in the Campus 
wide AD/LDAP and KDC.

Our department has a cross realm relationship between CAMPUS.EDU and 
CS.CAMPUS.EDU realms, so any student or faculty can authenticate and 
get a kerberos tgt from CAMPUS.EDU and service tickets for the CS 
department from CS.CAMPUS.EDU. Microsoft AD/LDAP has an attribute 
called usnCreated for every user and group. I was considering using 
this relatively low integer as the unix UID for afs and ldap. This way 
all departments across campus, could use the same unix UID for each 
student if they wanted.

Since I currently have an empty /etc/passwd so to speak, should I 
actually worry about trying to get unix UID's to be the same across 
campus and afs? Also, since I may have all the groups and usernames 
available ahead of time, should I go ahead and populate afs and ldap 
before initial login?
-chris