[OpenAFS] Re: foreign-realm members of system:administrators have weakened powers?

Adam Megacz megacz@cs.berkeley.edu
Thu, 26 Jan 2006 22:09:05 -0800

Jeffrey Hutzelman <jhutz@cmu.edu> writes:
> Is there some reason you _need_ to operate your own realm?
> Wouldn't it be easier to get the CS.BERKELEY.EDU admins to create the
> service principal afs/research.cs.berkeley.edu@CS.BERKELEY.EDU ?

There is no such realm (CS.BERKELEY.EDU) -- there is only
EECS.BERKELEY.EDU.  Yes, I know, this is lame.

And, even if that weren't a problem, the administrative overhead of
having to go through them in order to create guest accounts, establish
trust with other realms (ie other campuses), etc would never fly.  And
I wasn't planning on giving the department's KDC admins (or any
principals in their realm) system:administrator.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380