[OpenAFS] are both principals required for "unidirectional" cross-realm afs?

Ken Hornstein kenh@cmf.nrl.navy.mil
Tue, 17 Jan 2006 12:35:44 -0500

>I just got a test setup of cross-realm (v5) afs working between two
>"toy" realms.  Pretty nifty, especially since aklog does all the hard
>work for the user.

I think 70% of the hard work is done by the Kerberos library (the actual
cross-realm magic); the remaining 30% is done by aklog in terms of
cross-realm PTS registration.

>When I set this up, I did the "normal thing" for cross realm and put
>two principals in each realm:
>     krbtgt/CELL@OTHER
>     krbtgt/OTHER@CELL
>Now, if CELL is a realm with a corresponding afs cell, and OTHER is
>some other realm with no afs infrastructure at all, do I need both of
>these principals?  I have this hunch that since OTHER's kdc never
>needs to look at a ticket issued by CELL, the second principal
>(krbtgt/OTHER@CELL) isn't necessary for this limited functionality,
>but I don't know if Kerberos actually works this way.

Jeff already pointed out that both KDCs need to know about the same
principal (the local KDC uses that key to encrypt the cross-realm TGS
ticket; the foreign KDC uses it to decrypt it).  However, to answer
your original question ... no, you don't need both directions.  You
need only one direction.  I do this all the time with sites that are
paranoid about cross-realm and only want to cross-realm outbound.