[OpenAFS] are both principals required for "unidirectional"
cross-realm afs?
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 16 Jan 2006 17:56:04 -0500
On Monday, January 16, 2006 02:46:25 PM -0800 Adam Megacz
<megacz@cs.berkeley.edu> wrote:
>
> I just got a test setup of cross-realm (v5) afs working between two
> "toy" realms. Pretty nifty, especially since aklog does all the hard
> work for the user.
>
> When I set this up, I did the "normal thing" for cross realm and put
> two principals in each realm:
>
> krbtgt/CELL@OTHER
> krbtgt/OTHER@CELL
>
> Now, if CELL is a realm with a corresponding afs cell, and OTHER is
> some other realm with no afs infrastructure at all, do I need both of
> these principals? I have this hunch that since OTHER's kdc never
> needs to look at a ticket issued by CELL, the second principal
> (krbtgt/OTHER@CELL) isn't necessary for this limited functionality,
> but I don't know if Kerberos actually works this way.
>
> I tried this with my "toy realms" and it seemed to work when I junked
> the second principal and restarted everything. Removing the first
> principal caused things to stop working (obviously; just making sure I
> was actually reloading things properly).
>
> I ask because I'm about to request that the CS.BERKELEY.EDU add a
> cross-realm principal for RESEARCH.CS.BERKELEY.EDU (a micro-realm that
> exists solely to support the corresponding afs cell), and the less I
> ask for the more likely I am to get it.
In order for a client in realm FOO to obtain tickets for a service in realm
BAR, the principal krbtgt/BAR@FOO must exist in both databases.