[OpenAFS] Kerberos 5, AFS, and no krb524d

Ken Hornstein kenh@cmf.nrl.navy.mil
Fri, 06 Jun 2003 13:18:14 -0400


>>  o An aklog that just used the k5 ticket would be good, but is there one
>>    yet? This would in efect be a klog, using k5, and the K5 realm must
>>    match the AFS cell. The AFS servers need to be 1.2.9 
>
>Why must the K5 realm match the AFS cell ? I think this would not work,
>as we have a static K5 realm of UPENN.EDU and are looking to migrate
>each of our linux clusters to it's own AFS cell.

You can certainly _make_ this work ... but it requires extra
configuration.  Out of the box, the AFS cell will assume it's Kerberos
realm is the AFS cell name, and users from UPENN.EDU will appear as
foreign realm users (with the effect that nobody will be able to
authenticate as local PTS entries).

To use an overused metaphor, it sounds like you're going right from the
kiddie pool to swimming the English Channel.    You might want to scale
back the scope a bit (or get someone who has more experience to help
you).

--Ken