[OpenAFS] Tokens, Tickets and two cells...
Frank Burkhardt
fbo2@gmx.net
Wed, 20 Oct 2004 18:03:54 +0200
Hi,
On Wed, Oct 20, 2004 at 06:03:42AM -0400, Jeffrey Altman wrote:
[snip]
> It is perfectly acceptable to have a single Kerberos REALM provide
> authentication for two completely independent AFS cells. The Kerberos
> realm simply provides two AFS service principals
>
> afs/cell-one@REALM
> afs/cell-two@REALM
>
> which in turn map to the AFS service key. The AFS server then specifies
> an /usr/afs/etc/krb.conf file with a single line specifying the "REALM".
---------------------
This file was the solution.
> In the case of cell and realm combinations "foo" / "FOO" and "bar" /
> "BAR" I believe it is possible for cell "foo" to lie and say its realm
> is "BAR" in krb.conf and for "bar" to lie and say its realm is "FOO".
> This will treat principals of both "FOO" and "BAR" to be local to each.
> However, you will need to ensure that "user@FOO" and "user@BAR" really
> are the same individual with the same authorization roles with regards
> to AFS. If the two realms "FOO" and "BAR" are under separate
> adminstrative domains this might be impossible to so which is one reason
> why this architecture along with any architectures which perform
> principal name re-writing are to be avoided.
good Point...
I'm going to remove one of those Realms.
Thank you very much,
Frank