[OpenAFS] One realm and two cells

Ken Hornstein kenh@cmf.nrl.navy.mil
Tue, 02 Aug 2005 14:20:33 -0400

>	The setup I am trying to put together has a Kerberos realm A, two openafs 
>cells B and C. I administer C, but have no control over A and B. The set of 
>users of A and B (equal) is a superset of users in C.

I'm assuming you're using Kerberos 5 here.

>	I have received a keytab file that contains the AFS service (using realm A 
>for authentication). I intend to use the pts database on C to authorize a 
>certain small subset of users in A. The credentials for authentication for B 
>and C would thus be identical for that subset of users. Can I set up matters 
>such that when those users try to authenticate, they get authenticated for 
>both B and C ?

If you're using a recently-modern aklog, like the one that ships with
OpenAFS (I sure _hope_ you're using aklog and not klog), by default it
will only get tokens for the "local" AFS cell (defined in the ThisCell
file).  However, if you create a file called ".xlog" in your home
directory and list additional cells in it, aklog will then try to get
tokens for those cells as well.  This isn't automatic, but you could
modify this code to do what you want all of the time.  The same
concept could be applied to something else, like pam_krb5afs, but
you'd probably have to write your own code there (but maybe some of
those pam modules have this functionality already).