[OpenAFS] Poll: how many organizations are performing principal name mappings via krb524d, gssklogd, etc?

Ken Hornstein kenh@cmf.nrl.navy.mil
Wed, 22 Sep 2004 13:57:14 -0400


>For example, yesterday it we determined that Kerberos 5 principals
>within the realm NCSA.EDU are mapped via krb524d to Kerberos 4
>principals within the realm NCSA.UIUC.EDU in order for AFS to
>recognize the local user since the cell name is ncsa.uiuc.edu.
>
>   u@NCSA.EDU (k5) -> u@NCSA.UIUC.EDU (k4) -> u@ncsa.uiuc.edu (afs)

Let me provide a bit of history on this.

This code was part of the AFS-Kerberos 5 Migration kit from many years back.
I believe it was written by Von Welch at NCSA, who adapted it from some other
code from Doug Engert (I guess I could look at the CVS history, but I don't
think it's that important).  Von wrote it so NCSA could have a AFS cell that
didn't match their Kerberos realm.

Now, as people will point out, this complicated mess really wasn't
necessary.  If you put a krb.conf file (if you can figure out the
format, which I always forget) in the right location on AFS server, it
will use that as the name of the Kerberos realm associated with that
AFS cell, and everything will work as it should.  The problem with this
is that it's documented about as well as everything else in AFS; that
is to say, it's stored in the brains of about a dozen people on the
planet, and if you don't happen to mention this problem to one of them,
you'll never know that this feature exists (I only because aware of
this years after the fact because of an offhand comment Sam Hartman
made once).

I did a more extended version of this hack here in an attempt to solve
problems we had with cross-realm PTS userids not matching the Unix userid
of people, but it never really caught on and eventually the need for it
diminished, so we never really used it in wide production and eventually
stopped doing this.

I guess based on all of this, it seems like I've seen the following cases
when remapping is used:

- Map one realm to a cell of a different name.  As discussed previously,
  this is easy, if unfortunately not documented.  No namespace issues
  to worry about.

- Map multiple realms to one AFS cell.  I've heard multiple people are
  doing that, but I don't know what changes are required to AFS to make
  that happen (if any).  The code I've seen would seem to work from
  only one realm, but obviously people are doing this, so I don't know
  what the magic is.

- Map random principal name X into random principal name Y.  The less common
  case, and probably relatively few people need this one.

It sounds like the first two cases are the most common, and have
reasonable solutions that shouldn't affect the client codebase (which
is what Jeff is complaining about, and I can hardly blame him for doing
so).  The last case is harder, and having looked at the problem,
clearly the right solution is to do something like aliases in the
ptserver ... but I looked at that, and doing THAT is hard.  Doing
aliases in krb524d is much simpler (even though it's the wrong place to
do it).

--Ken