[OpenAFS] are both principals required for "unidirectional" cross-realm afs?

Adam Megacz megacz@cs.berkeley.edu
Mon, 16 Jan 2006 14:46:25 -0800

I just got a test setup of cross-realm (v5) afs working between two
"toy" realms.  Pretty nifty, especially since aklog does all the hard
work for the user.

When I set this up, I did the "normal thing" for cross realm and put
two principals in each realm:


Now, if CELL is a realm with a corresponding afs cell, and OTHER is
some other realm with no afs infrastructure at all, do I need both of
these principals?  I have this hunch that since OTHER's kdc never
needs to look at a ticket issued by CELL, the second principal
(krbtgt/OTHER@CELL) isn't necessary for this limited functionality,
but I don't know if Kerberos actually works this way.

I tried this with my "toy realms" and it seemed to work when I junked
the second principal and restarted everything.  Removing the first
principal caused things to stop working (obviously; just making sure I
was actually reloading things properly).

I ask because I'm about to request that the CS.BERKELEY.EDU add a
cross-realm principal for RESEARCH.CS.BERKELEY.EDU (a micro-realm that
exists solely to support the corresponding afs cell), and the less I
ask for the more likely I am to get it.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380