[OpenAFS] Re: foreign-realm members of system:administrators have weakened powers?

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 27 Jan 2006 00:54:38 -0500

On Thursday, January 26, 2006 09:41:06 PM -0800 Russ Allbery 
<rra@stanford.edu> wrote:

> Adam Megacz <megacz@cs.berkeley.edu> writes:
>> I may be abandoning this because there doesn't seem to be any reliable
>> way for clients to figure out that the cell is its own realm (without
>> requiring end-users to manually edit or replace their krb5.conf, which
>> is way beyond the abilities of many people, sad as that fact may be).
> Doesn't manipulating the names of the VLDB servers help?  Or does Berkeley
> not want to let you create an additional level in DNS?

Indeed, it should.  What Russ is alluding to here is the fact that most 
aklog's determine what realm to use by applying the normal Kerberos 
host-to-realm mapping on the hostname of one of the DB servers.  Of course, 
this introduces all sorts of security issues related to trusting the names 
in AFSDB records, but that's been true for a while.

Is there some reason you _need_ to operate your own realm?
Wouldn't it be easier to get the CS.BERKELEY.EDU admins to create the 
service principal afs/research.cs.berkeley.edu@CS.BERKELEY.EDU ?