[OpenAFS] OpenAFS+KerberosV permission problem

Ken Hornstein kenh@cmf.nrl.navy.mil
Thu, 29 May 2003 13:31:15 -0400


>Um, afs/cell@REALM works just fine..  I've got a krb5 ticket for
>afs/sipb.mit.edu@ATHENA.MIT.EDU using principal warlord@ATHENA.MIT.EDU
>and I've got a valid token for "user warlord in cellsipb.mit.edu".
>
>So the fact that cell != REALM shouldn't matter.

I can assure you that without doing some extra configuration, it
definately DOES matter.  I know that y'all at MIT have been doing this
for years, and it definately does work, but I've seen this cause lots
of problems for people who didn't understand all of the implications.
If you have a simple configuration (one realm and one cell), it is
definately better for the Kerberos/AFS novice to make the cell and the
realm name the same.

--Ken