[OpenAFS] are both principals required for "unidirectional" cross-realm afs?

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 16 Jan 2006 17:56:04 -0500

On Monday, January 16, 2006 02:46:25 PM -0800 Adam Megacz 
<megacz@cs.berkeley.edu> wrote:

> I just got a test setup of cross-realm (v5) afs working between two
> "toy" realms.  Pretty nifty, especially since aklog does all the hard
> work for the user.
> When I set this up, I did the "normal thing" for cross realm and put
> two principals in each realm:
>      krbtgt/CELL@OTHER
>      krbtgt/OTHER@CELL
> Now, if CELL is a realm with a corresponding afs cell, and OTHER is
> some other realm with no afs infrastructure at all, do I need both of
> these principals?  I have this hunch that since OTHER's kdc never
> needs to look at a ticket issued by CELL, the second principal
> (krbtgt/OTHER@CELL) isn't necessary for this limited functionality,
> but I don't know if Kerberos actually works this way.
> I tried this with my "toy realms" and it seemed to work when I junked
> the second principal and restarted everything.  Removing the first
> principal caused things to stop working (obviously; just making sure I
> was actually reloading things properly).
> I ask because I'm about to request that the CS.BERKELEY.EDU add a
> cross-realm principal for RESEARCH.CS.BERKELEY.EDU (a micro-realm that
> exists solely to support the corresponding afs cell), and the less I
> ask for the more likely I am to get it.

In order for a client in realm FOO to obtain tickets for a service in realm 
BAR, the principal krbtgt/BAR@FOO must exist in both databases.