[OpenAFS] Basic AFS Q: Krb Realm of AFS id

Matthew J. Smith matt.smith@uconn.edu
Wed, 11 May 2005 11:46:59 -0400

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

  I am sure that this is a very basic question, so forgive me, but I
have not found a definitive answer yet.  Let's say my environment has
multiple Krb5 Realms (say, ENT.COM, ORG1.ENT.COM, and ORG2.ENT.COM),
with appropriate trusts in place.  I then create an AFS cell ent.com,
and generate my AFS ticket afs@ENT.COM.  Noticing that I list only the
user name (not the Realm) when creating AFS ids using "pts", here are my

1)  Is it possible for me to grant AFS access to users outside of
ENT.COM, in the ORG1 or ORG2 realms?

2)  If #1 is possible, how do I differentiate between
msmith@ORG1.ENT.COM and msmith@ORG2.ENT.COM ?

  Beyond the generic questions above, we have one MIT Kerberos realm,
and an Active Directory.  Trusts are established, but creating the
mappings in the AD and having workstations log into the MIT kerberos
realm is not an option (NTLM2 is required).  I'd like to place AFS in
the MIT realm, and be able to grant access directly to the AD krb
princs.  Is this possible?

Thanks all,

Matthew J. Smith
University of Connecticut ITS
This message sent at Wed May 11 11:23:17 2005
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.5 (GNU/Linux)