[OpenAFS] Basic AFS Q: Krb Realm of AFS id

[Matthew J. Smith]

--=-lsmfN15+fPN8LpUsCCIO
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

  I am sure that this is a very basic question, so forgive me, but I
have not found a definitive answer yet.  Let's say my environment has
multiple Krb5 Realms (say, ENT.COM, ORG1.ENT.COM, and ORG2.ENT.COM),
with appropriate trusts in place.  I then create an AFS cell ent.com,
and generate my AFS ticket afs@ENT.COM.  Noticing that I list only the
user name (not the Realm) when creating AFS ids using "pts", here are my
questions:

1)  Is it possible for me to grant AFS access to users outside of
ENT.COM, in the ORG1 or ORG2 realms?

2)  If #1 is possible, how do I differentiate between
msmith@ORG1.ENT.COM and msmith@ORG2.ENT.COM ?

  Beyond the generic questions above, we have one MIT Kerberos realm,
and an Active Directory.  Trusts are established, but creating the
mappings in the AD and having workstations log into the MIT kerberos
realm is not an option (NTLM2 is required).  I'd like to place AFS in
the MIT realm, and be able to grant access directly to the AD krb
princs.  Is this possible?

Thanks all,
-Matt

Matthew J. Smith
University of Connecticut ITS
This message sent at Wed May 11 11:23:17 2005
PGP Key: http://web.uconn.edu/dotmatt/matt.asc


--=-lsmfN15+fPN8LpUsCCIO
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQBCgijzV7qLy6/ZdQURAov6AKCkpsGM3S8/v+F9iRoALpvkNzbA4wCdEDaW
RU2UEHE5rXL1BkBm40gq8A8=
=8htO
-----END PGP SIGNATURE-----

--=-lsmfN15+fPN8LpUsCCIO--