[OpenAFS] cross-realm afs client access
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 30 Aug 2004 12:35:18 -0400
On Monday, August 30, 2004 11:09:52 -0400 "Derek T. Yarnell"
<derek@cs.umd.edu> wrote:
> doing first-time registration of derek@cs.umd.edu at csic.umd.edu
> aklog: Badly formed name (group prefix doesn't match owner?) so unable
> to create remote PTS user derek@cs.umd.edu in cell csic.umd.edu (status:
> 267272).
Translation: The csic.umd.edu cell prdb does not contain a
'system:authuser@cs.umd.edu' group. This group needs to be created (and
probably given a decently large group quota) before cross-realm user
entries can be created.
> Personally I would like to not have users of username@cs.umd.edu in the
> CSIC realm/cell because everyone in CS that would access CSIC would have
> an account in both. Is there a way to map derek@cs.umd.edu to just
> derek?
You can, but only by telling the csic.umd.edu cell servers that their local
realm is CS.UMD.EDU. A set of fileservers can have only one local realm.
Note that if you control the CS.UMD.EDU realm and CSIC.UMD.EDU exists only
to support the AFS cell, the simplest thing to do is eliminate the second
realm entirely. Key your fileservers as afs/csic.umd.edu@CS.UMD.EDU, and
tell them that CS.CMU.EDU is their local realm. Of course, your clients
will also have to have suitable host-to-realm mappings so that they think
CS.UMD.EDU is the realm containing your dbservers.
Doug Engert will probably wake up and tell you that if only you were using
gssklog, everything would be so much better.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA