[OpenAFS] are both principals required for "unidirectional" cross-realm afs?
Adam Megacz
megacz@cs.berkeley.edu
Mon, 16 Jan 2006 14:46:25 -0800
I just got a test setup of cross-realm (v5) afs working between two
"toy" realms. Pretty nifty, especially since aklog does all the hard
work for the user.
When I set this up, I did the "normal thing" for cross realm and put
two principals in each realm:
krbtgt/CELL@OTHER
krbtgt/OTHER@CELL
Now, if CELL is a realm with a corresponding afs cell, and OTHER is
some other realm with no afs infrastructure at all, do I need both of
these principals? I have this hunch that since OTHER's kdc never
needs to look at a ticket issued by CELL, the second principal
(krbtgt/OTHER@CELL) isn't necessary for this limited functionality,
but I don't know if Kerberos actually works this way.
I tried this with my "toy realms" and it seemed to work when I junked
the second principal and restarted everything. Removing the first
principal caused things to stop working (obviously; just making sure I
was actually reloading things properly).
I ask because I'm about to request that the CS.BERKELEY.EDU add a
cross-realm principal for RESEARCH.CS.BERKELEY.EDU (a micro-realm that
exists solely to support the corresponding afs cell), and the less I
ask for the more likely I am to get it.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380