[OpenAFS] KRB5 "Super-Realm" and multiple cells
Chris Huebsch
chris.huebsch@informatik.tu-chemnitz.de
Tue, 9 Nov 2004 22:01:18 +0100 (CET)
Hello,
my problem with the (really) huge cell is gone - we accept that this is
not really possible.
Our new idea are multiple cells and "manually" synced volumes to ensure
a single filesystem-image accross all cells. (Example followes later.)
To get this working, we think about one (and only one) (Heimdahl) Krb 5
realm for all cells (eg. called MASTER.TLD).
The cells are called site1.master.tld, site2.master.tld and so on.
Is it naive to think it is sufficient to put every user in the ptserver
of each cell and the user becomes authenticated in every cell?
My problem is that I don't want to use user@site1.master.tld in ACLs,
because the user will change his site over time and the ACLs should
remain valid.
An other scenario is that a user who has his $HOME on a fileserver of
site1 wants to use a computer at site2.
We maintain a directory called /afs/master.tld/homes, which contains
mountpoints to all user-volumes. They will always be mounted with the
correct -cell option in fs mkmount.
If the user logs in into a computer of site2, he will get a ticket from
the master realm. His $HOME will point to /afs/master.tld/home/user. But
will he have the correct credentials to access his volume?
Thank you for your help
Chris Huebsch
--
Chris Huebsch www.huebsch-gemacht.de | TU Chemmnitz, Informatik, RNVS
GPG-Encrypted mail welcome! ID:7F2B4DBA | Str. d. Nationen 62, B204
Chemnitzer Linux-Tage 2005, 5.-6.Maerz | D-09107 Chemnitz
http://chemnitzer.linux-tage.de/ | +49 371 531-1377, Fax -1803